dependabot
Job definition contains stale data for `existing-pull-requests` and `existing-group-pull-requests`
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
npm
Package manager version
pnpm 9.12.0
Language version
Node.js 22.9.0
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Recently, Dependabot stopped creating version update pull requests for one of our dependency groups.
After digging into our Dependabot logs, we found that the job definition printed by the following line contains stale data:
https://github.com/dependabot/dependabot-core/blob/f38ac2f1dce398b7ca7274b4398a78cdf994f008/updater/lib/dependabot/file_fetcher_command.rb#L21
In particular, even though there are no open pull requests in our repository and no branches besides the main branch, the jobDefinition["job"]["existing-pull-requests"] and jobDefinition["job"]["existing-group-pull-requests"] fields in the logged job definition both contain some stale and now-invalid entries.
Since group pull requests seem to be tracked solely by the dependency group name, this is causing Dependabot to skip the groups that it thinks already have pull requests, even though no such pull requests exist.
https://github.com/dependabot/dependabot-core/blob/f38ac2f1dce398b7ca7274b4398a78cdf994f008/updater/lib/dependabot/updater/group_update_creation.rb#L441-L443
https://github.com/dependabot/dependabot-core/blob/f38ac2f1dce398b7ca7274b4398a78cdf994f008/updater/lib/dependabot/updater/operations/group_update_all_versions.rb#L90-L97
This manifests in our Dependabot logs in the same manner as https://github.com/dependabot/dependabot-core/issues/7543.
Is there any way to force Dependabot to reset its internal state for our repository to get rid of this stale data?
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
I'm having this same problem with a repository with ruby gems. The "existing group PR" (according to dependabot) was merged 3 months ago and it is not allowing more dependabot PRs to be created for gems in this group.
I have a similar issue with non-grouped Nuget-dependencies for several repos in our GH org. "existing-pull-requests" in the Dependabot logs contains what looks like dependencies that had Dependabot PRs that were closed by Dependabot itself due to being superseded by other Dependabot PRs. etc.
Anyone found a work-around for this? I have tried upping the allowed-open-pull-requests option in dependabot.yml from 10 to a 100 with no effect. There are less than a 100 of those closed/stale Dependabot PRs listed in the logs so would have expected this to bypass the problem...
It looks like this started failing at the same time for several repos so suspect DependaBot introduced a change in behavour (bug?) at that time. Last time DependaBot worked on any of these repos was May 5th. It works fine with a fresh repo with no existing PRs.
We're experiencing the same stale existing-pull-requests cache issue with NuGet ecosystem. Dependabot processes 35+ package updates successfully but creates no PRs.
Our logs show the exact problem: Dependabot receives stale PR data for packages that were merged months ago (e.g., "dependency-name": "Anthropic.SDK", "dependency-version": "4.6.0" but this was updated to 5.2.0 in April).
Attempted workarounds:
- ✅ Renamed dependency groups (microsoft-dependencies → microsoft-deps)
- ✅ Disabled/re-enabled Dependabot
The job correctly shows renamed groups: "dependency-groups": [ {"name": "microsoft-deps", "rules": {"patterns": ["Microsoft.", "System."]}}, {"name": "awssdk-deps", "rules": {"patterns": ["AWSSDK.*"]}} ]
But GitHub's API still returns the old PR references: "existing-pull-requests": [ [{"dependency-name": "Microsoft.EntityFrameworkCore.Design", "dependency-version": "8.0.5"}], [{"dependency-name": "Anthropic.SDK", "dependency-version": "4.6.0"}] ]
This started affecting most if not all of our repositories about on May 22nd.
I think we have the same problem
In the logs there is a list of existing-pull-requests for one of our projects in mono repo, although there are no active prs related to dependency updates. Dependabot no longer creates Prs for this project, although the logs show that updates were found
How would we update this list? Renaming the group didn't help
@glacius-mitchell , can you please provide the logs or the job id of the dependabot run that fails to create the PRs? You can find them under the Actions tab:
@AbhishekBhaskar Unfortunately the 90-day log retention period in our organization for these logs has long since passed, so I no longer have access to them, but perhaps one of the other users in this thread who have encountered this issue more recently can supply their logs instead.
@hloken @cwigley-air, can you'll please share the logs or the job id of the dependabot job that fails to create the PRs so we can troubleshoot it in our local systems? You can find them under the Actions tab as I've displayed in my comment above.
@glacius-mitchell, there was a fix that was pushed recently to unblock group PR creation in certain scenarios. Can you please retry running dependabot updates and see if the issue is still reproducible? Thanks!