The current setup of dependabot is intensively manual and has some negative interactions with pip-tools. I've created 2 PRs with opposite solutions to this problem: #2593 maxes out dependabot usage and automates the PR merges, but sacrifices the precise output of pip-compile, whereas #2592 drops dependabot entirely and does a periodic (and also manually triggerable) pip-compile bump.

Personally I would favor dropping dependabot mainly because of the fewer commits, but I recognize that monthly mass updates are marginally more likely to have difficult-to-diagnose breakage from bad interactions.