@Dependabot API ignore major version seemingly not working
Closed this issue ยท 9 comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
Maven
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
pom.xml
dependabot.yml content
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
day: "sunday"
open-pull-requests-limit: 5
labels:
- "Type: Dependency Upgrade"
- "Priority 1: Must"
milestone: 96
reviewers:
- "AxonFramework/framework-developers"
groups:
github-dependencies:
update-types:
- "patch"
- "minor"
- "major"
- package-ecosystem: maven
directory: "/"
schedule:
interval: weekly
day: "sunday"
open-pull-requests-limit: 5
labels:
- "Type: Dependency Upgrade"
- "Priority 1: Must"
milestone: 96
reviewers:
- "AxonFramework/framework-developers"
groups:
maven-dependencies:
update-types:
- "patch"
- "minor"
- "major"Updated dependency
No response
What you expected to see, versus what you actually saw
By using the Dependabot bot ignore rules inside a pull request, I expected that my project does not upgrade dependency that no longer supports JDK8.
As it stands, dependencies of for example Mockito and Spring Boot have been upgraded to a none-JDK8 supporting version for the last 4 weeks.
I was originally led to issue #10798 by @amazimbe.
Although the issue is marked completed, I still noted the unexpected behavior this week and last week.
I replied to the issue referred to last week with this comment, but I figured making an issue would be the right approach.
An example culprit that does not adhere to the ignore rules I have set up is pull request #3182 from the Axon Framework project.
I have an additional 10 or so other repositories that show similar behavior, though.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Issue #3182 of the Axon Framework project.
Smallest manifest that reproduces the issue
No response
Just wanted to let all readers know that all repositories I am maintaining still receive dependabot upgrades for major releases that are ignored through the ignore-rules.
Hence, to me, it seems as if #10798 has not been resolved fully yet.
Any form of update on this would be very much appreciated! ๐
If you remove your current ignore conditions and then add them again it should work. You shouldn't see 5.a in the range anymore as that should be 5.a0
If you remove your current ignore conditions and then add them again it should work. You shouldn't see 5.a in the range anymore as that should be 5.a0
So a "fresh" rule set should do the trick. Thanks for sharing that, @amazimbe! I'll give it a try.
It worked for one of the projects (our Axon Server Connector for Java repo), but it did not work for about five others.
So, I went and closed those dependabot PRs, hoping a fresh PR (which I've set to occur on Sunday) would do the trick.
Ow, and thanks for checking in, @amazimbe; much appreciated ๐
@smcvb did this work?
@abdulapopoola, it did the trick for some, but not all.
However, what's good to know, is that I moved towards ignore rules in the dependabot.yml instead of the comment-approach discussed above.
To be frank, I find the GitHub comment-based ignore rules rather tiresome to work with.
I was missing future like "give me all existing rules," as well as support to adjust everything in one go.
I comprehend it is tough to provide such a future in a comment-based API, so nothing wrong said about what's there.
The approach just didn't suffice for the amount of rules I had to set.
Hence, I went through the process of checking all dependencies for potentially active ignore rules based on comments, and unignored all of them.
Then, I moved all my rules to the yml file.
Although that solved my personal issue, it also means I cannot state whether the ignore major version support is working as intended fully.
My apologies for that.
From my perspective, it is fine to close this issue, though.
Thanks @smcvb
Yes, we want to improve our ignore experience and hopefully should have this in the new future. I apologize for the current state.
Yes, we want to improve our ignore experience and hopefully should have this in the new future. I apologize for the current state.
Thanks for that, @abdulapopoola, and no worries at all. As a maintainer of several open source repositories, I know all to well the desire for change throughout the sheer amount of tasks in front of you.
If anything, thanks a ton for all the work you (and others!) have already put into this. ๐