David McIntosh

This sounds great! Like @feelepxyz mentioned, Dependabot does tend to get into some more complicated allowed/ignored version configurations. We can have a mix of user supplied ranges, user preference to...

@jeffwidman are you able to reproduce this with the [dry run script](https://github.com/dependabot/dependabot-core/blob/main/bin/dry-run.rb) on the repo?

@dtomcej: Thanks! Something odd is definitely going on but it's great that you can reproduce it. Since we don't have access to this repo would you be able to run...

@dtomcej: I pushed up a branch that adds some debugging statements during the update process that will hopefully guide us to where it's going wrong: https://github.com/dependabot/dependabot-core/compare/mctofu/debug-go-mod-update. If you switch to...

Thanks @dtomcej! That definitely narrows it down but is also very strange 🤔! Because `** package: false` is in the output that tells me Dependabot is creating a dummy go...

@dtomcej: Wow, that's interesting! Curious if you'd get the same results using the `golang:1.17.5` docker image.

Would you mind trying with older versions of the golang image to determine if this is a problem that's been recently introduced? We may want to roll Dependabot back to...

@dtomcej Did you have any success in determining what the issue was in `go get -d`? We could add the `go mod download` step as a workaround but if there...

I cleaned up a few more unpinned cassettes in https://github.com/dependabot/dependabot-core/pull/4953

We're still investigating this & working on a test but have been observing that the npm cli is not always working with the proxy in mitm mode. When running `npm...