@Dependabot API ignore major version not working

Question

@Dependabot API ignore major version not working

pzygielo opened this issue 2 months ago · 5 comments

pzygielo commented 2 months ago

Is there an existing issue for this?

I have searched the existing issues

Package ecosystem

maven

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/pzrep/dbot-semver-maven/blob/master/pom.xml

dependabot.yml content

https://github.com/pzrep/dbot-semver-maven/blob/master/.github/dependabot.yml

Updated dependency

org.slf4j:slf4j-api:1.7.29

What you expected to see, versus what you actually saw

Expected: PR to update to 1.7.36

Actually seen: No such PR.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Here's what happened.

Starting with org.slf4j:slf4j-api:1.7.29
1st dependabot run -> https://github.com/pzrep/dbot-semver-maven/pull/1
@dependabot ignore this major version -> OK, I won't notify you about version 2.x.x again, unless you re-open this PR.
2nd dependabot run -> https://github.com/pzrep/dbot-semver-maven/pull/2
https://github.com/dependabot ignore this major version -> OK, I won't notify you about version 2.x.x again, unless you re-open this PR.
3rd dependabot run ->

updater | 2024/10/16 08:17:48 INFO <job_901927934> Checking if org.slf4j:slf4j-api 1.7.29 needs updating
updater | 2024/10/16 08:17:48 INFO <job_901927934> Ignored versions:
2024/10/16 08:17:48 INFO <job_901927934>   >= 2.a, < 3 - from @dependabot ignore command
  proxy | 2024/10/16 08:17:48 [012] GET [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/maven-metadata.xml](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/maven-metadata.xml)
  proxy | 2024/10/16 08:17:48 [012] 200 [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/maven-metadata.xml](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/maven-metadata.xml)
updater | 2024/10/16 08:17:48 INFO <job_901927934> Filtered out 27 pre-release versions
updater | 2024/10/16 08:17:48 INFO <job_901927934> Filtered out 16 ignored versions
  proxy | 2024/10/16 08:17:48 [016] HEAD [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar)
  proxy | 2024/10/16 08:17:48 [016] 200 [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar)
updater | 2024/10/16 08:17:48 INFO <job_901927934> Latest version is 2.0.0
updater | 2024/10/16 08:17:48 INFO <job_901927934> Pull request already exists for org.slf4j:slf4j-api with latest version 2.0.0

Result: The update to 1.7.36 is not offered.

@amazimbe

Smallest manifest that reproduces the issue

https://github.com/pzrep/dbot-semver-maven

Answer 1 · 2024-10-16T11:16:32.000Z

@pzygielo this looks like a bug in the way the @dependabot command calculates the ignore range. It came up with >= 2.a, < 3 - but that should have been >= 2.a0, < 3. I'll work on a fix but in the meantime you can setup the ignore conditions in .github/dependabot.yml. Here is an example:

version: 2
updates:
  - package-ecosystem: maven
    directory: /
    schedule:
      interval: "daily"
      time: "01:00"
      timezone: "UTC"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major","version-update:semver-minor"]
    groups:
      dependencies:
        patterns:
          - "*"
    target-branch: main

Answer 2 · 2024-10-16T12:03:57.000Z

Thanks for checking and recommendation about config update.

Answer 3 · 2024-10-31T15:17:23.000Z

@pzygielo this should be fixed now. Can you please retest.

Answer 4 · 2024-10-31T16:27:25.000Z

I forked reproducer, and after ignoring major version in pzygielo/dbot-semver-maven#1 the next PR was pzygielo/dbot-semver-maven#2 as expected.
https://github.com/pzygielo/dbot-semver-maven/actions/runs/11615834054/job/32347364997

Thank you.

Answer 5 · 2024-11-04T10:10:37.000Z

First off, thanks for working to fix the "ignore major version" issue referred to at the start.
I was directed here by @amazimbe from another issue I was replying to concerning this predicament (thanks again for linking, @amazimbe).

I've set up dependabot for our projects to trigger on Sunday. I, however, still have included major versions, while I have ignore-rules set for those through the issue comment section.
For reference, this is one of the automatically created dependabot PRs showing this behavior.
More concretely, I have a rule to ignore [>= 5.a, < 6] of the org.mockito:mockito-core dependency.
However, an upgrade of org.mockito:mockito-core to 5.0.0 is part of the referred pull request.

As they're perhaps helpful, here are the logs for this specific dependabot run: axonserver-connector-java_AxonIQ_dependabot-logs.json
It is a "rebase" run, though.

I am thinking of two reasons why it might not work for me as expected:

The fix is merged, but it is not yet active.
Because it's a rebase run, it took the previous (incorrect) update of Mockito to 5.0.0 with it during the process.