dependabot
Dependabot ignores dependencies even if they have a higher version than the ignored version.
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
nuget
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/Directory.Packages.props
dependabot.yml content
https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/.github/dependabot.yml
Updated dependency
JsonSchema.Net
What you expected to see, versus what you actually saw
The dependency is marked as ignored for [>= 7.0.a, < 7.1], but dependabot ignores it even though the current latest version is 7.2.3.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
Do you have a log file you could share? The dependabot.yml doesn't contain any ignore conditions, so they must have been injected elsewhere and the full log should contain those details.
I ignored it using a dependabot ignore command. (#9916 and na1307/SimpleSixtarScorecard#5) I have a Dependabot Actions log, but I don't know which one to link to.
I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.
One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.
Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json
I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.
One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.
Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json
It seems different in my case. In my case, Dependabot ignores the dependency even though there is a newer version that is outside the ignored dependency version range. It seems to be the exact opposite of your case.
I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.
One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.
Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json
@smcvb I've responded on the closed PR but just to close the loop:
We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.
@smcvb I've responded on the closed PR but just to close the loop:
We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.
Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?
Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?
That's correct.
Thank you to everybody for the additional information.
As to the original issue of version 7.2.3 not getting selected, that is indeed a bug and will need some more investigation.
As for the other issues like 5.0.a, that's an alternate syntax for a wildcard version. The short answer is that a single letter is treated as an asterisk *, so 5.0.a is interpreted as 5.0.* which is why it matches 5.0.0.
After @amazimbe helpful comment, I went and removed all comment-based ignore rules from the repositories I maintain. Just to clarify, this is the approach I took:
Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?
That's correct.
Either I have configured something incorrectly, or we are missing some other pointers at this stage. Because this Dependabot pull request still added the aforementioned Mockito 5.0.0 dependency, while the ignore rules for this dependency are as follows:
org.mockito:mockito-core [>= 5.a, < 6] -> Can be found in this comment in the referred-to pull request.
Hence, the 5.0.a match was removed. This match was introduced through the @dependabot ignore [this] minor version command.
The leftover ignore rule is from invoking @dependabot ignore [this] major version.
So, if anybody can guide me on why a major release is still included while it has been ignored, that would be great!
If the recommendation is to use ignore rules in the dependabot.yml instead of using the GitHub comments, I am all for trying, by the way.
@smcvb here is the maven issue ticket: https://github.com/dependabot/dependabot-core/issues/10798. It's unrelated to this nuget issue.