socket-sdk-js icon indicating copy to clipboard operation
socket-sdk-js copied to clipboard
verified publisher icon SocketDev

Wrongly reported dependency changes in GitHub app

Open karfau opened this issue 2 years ago • 6 comments

Hey there, I hope this issue is in the correct place. Happy to report it in a different place, let me know where.

I have recently found more and more comments by the GitHub App that claim a dependency has been removed in a pure dependency upgrade PR.

There are plenty of examples in the xmldom repo

but the most recent on is here: https://github.com/xmldom/xmldom/pull/521#issuecomment-1658965243

All of these are really bumping a dependency version, not dropping it.

I'm currently assuming this also relates to issues where already approved issues have to be approved again, but I don't have an example I can share of that right now. (And maybe this is a separate issue? But I think it makes sense to first solve this one.)

karfau avatar Aug 06 '23 10:08 karfau

From my perspective this issues is ruining your reputation as a reliable source of information. To avoid that effect, I'm starting to disable the GitHub App in some repositories, to avoid the noise and misinformation.

karfau avatar Aug 13 '23 17:08 karfau

Today I received a report/comment that claims an updated version of a dependency is new: https://github.com/xmldom/xmldom/pull/526#issuecomment-1677617572

Maybe it's a different issue or just unfortunate wording, but the dependency was upgrades as you can see from the diff.

karfau avatar Aug 14 '23 20:08 karfau

Is there any chance that you are looking into this? This seems to still be the case after your announcement regarding improved reporting.

This is especially annoying since it renders the "new capabilities" and change in number of transient deps feature useless: if an updated version counts as removed and new version, all capabilities and transient deps of the new version always count as new.

karfau avatar Feb 04 '24 06:02 karfau

I have now seen the same thing happening for a python package upgrade. So maybe this is the wrong repo for the report?

karfau avatar Mar 31 '24 06:03 karfau

Hi Christian, I'm an engineer at Socket and I'd be happy to look into this. Can you let me know more details about where you're seeing this? Feel free to email me at @.*** if the details are private.On Mar 30, 2024, at 11:08 PM, Christian Bewernitz @.***> wrote: I have now seen the same thing happening for a python package upgrade. So maybe this is the wrong repo for the report?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>

reberhardt7 avatar Mar 31 '24 06:03 reberhardt7

@reberhardt7 here is the most recent example from the public xmldom repository: https://github.com/xmldom/xmldom/pull/643 This is a simple example since the updated packages does not have a lot of dependencies. Here is a slightly more involved example from the same repo: https://github.com/xmldom/xmldom/pull/629#issuecomment-2002559424

What other details do you need?

karfau avatar Mar 31 '24 18:03 karfau