dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Not respecting groups' `exclude-pattern` config for sub-dependencies/implicit dependencies

Open Drowze opened this issue 1 year ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

Bundler

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

Gemfile (link):

source 'https://rubygems.org'

gem 'yabeda-karafka-2'
gem 'karafka'
gem 'karafka-testing'

Gemfile.lock: https://github.com/Drowze/ci-testing/blob/1c97473bc15e80ede999ce3f60ae8266478bd9c8/gemfiles/test_1/Gemfile.lock

dependabot.yml content

Dependabot.yml: https://github.com/Drowze/ci-testing/blob/1c97473bc15e80ede999ce3f60ae8266478bd9c8/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: "bundler"
    directory: "gemfiles/test_1/"
    insecure-external-code-execution: allow
    versioning-strategy: lockfile-only # only update Gemfile.lock
    schedule:
      # By default, this is on Monday
      interval: "weekly"
    commit-message:
      prefix: "[Dependabot]"
    pull-request-branch-name:
      separator: "-"
    labels:
      - dependencies
      - ruby
    groups:
      karafka:
        patterns:
          - "karafka*"
          - "waterdrop"
        update-types: [patch] # karafka minor versions include breaking changes
      internal-libraries:
        patterns:
          - "yabeda-karafka-2"
        exclude-patterns:
          - "karafka*"
          - "waterdrop"
        update-types: [minor, patch]

Updated dependency

No response

What you expected to see, versus what you actually saw

I expected the internal-libraries group to NOT update any karafka* or waterdrop gem, but instead the PR to that group included updates to karafka-core, karafka-rdkafka and waterdrop.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Link to PR: https://github.com/Drowze/ci-testing/pull/2 Link to logs: https://github.com/Drowze/ci-testing/actions/runs/10581515067/job/29318986570

Screenshot 2024-08-27 at 13 04 50

Smallest manifest that reproduces the issue

This small manifest should reproduce it: https://github.com/Drowze/ci-testing/blob/1c97473bc15e80ede999ce3f60ae8266478bd9c8/gemfiles/test_1

Drowze avatar Aug 27 '24 16:08 Drowze

Hey 👋

Any chance anyone had a look at this? 👀

Drowze avatar Oct 31 '24 22:10 Drowze

I'm seeing an identical issue here, where most-gems is including aws-partitions instead of the aws group.

  - package-ecosystem: bundler
    registries: '*'
    directory: '/'
    schedule:
      interval: weekly
    groups:
      most-gems:
        applies-to: version-updates
        patterns: ['*']
        exclude-patterns:
          - 'aws*'
          - 'rubocop*'
      # Usually can be done all together
      aws:
        applies-to: version-updates
        patterns:
          - 'aws*'
      # Often will require re-evaluation of rules, so validate these separately
      rubocop:
        applies-to: version-updates
        patterns:
          - 'rubocop*'

phene avatar Mar 24 '25 17:03 phene

I believe this is because most-gems includes a gem that depends on aws-partitions, which causes the exclusion matcher to be shortcutted here

The reporter is seeing this because yabeda-karafka-2 depends on karafka

phene avatar Mar 24 '25 17:03 phene