dependabot
Dependabot ignore major version not working
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
maven
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/pzrep/dbot-semver-maven/blob/master/pom.xml
dependabot.yml content
https://github.com/pzrep/dbot-semver-maven/blob/master/.github/dependabot.yml
Updated dependency
org.slf4j:slf4j-api:1.7.29
What you expected to see, versus what you actually saw
Expected: PR to update to 1.7.36
Actually seen: No such PR.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Here's what happened.
- Starting with
org.slf4j:slf4j-api:1.7.29 - 1st dependabot run -> https://github.com/pzrep/dbot-semver-maven/pull/1
@dependabot ignore this major version-> OK, I won't notify you about version 2.x.x again, unless you re-open this PR.- 2nd dependabot run -> https://github.com/pzrep/dbot-semver-maven/pull/2
https://github.com/dependabot ignore this major version-> OK, I won't notify you about version 2.x.x again, unless you re-open this PR.- 3rd dependabot run ->
updater | 2024/10/16 08:17:48 INFO <job_901927934> Checking if org.slf4j:slf4j-api 1.7.29 needs updating
updater | 2024/10/16 08:17:48 INFO <job_901927934> Ignored versions:
2024/10/16 08:17:48 INFO <job_901927934> >= 2.a, < 3 - from @dependabot ignore command
proxy | 2024/10/16 08:17:48 [012] GET [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/maven-metadata.xml](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/maven-metadata.xml)
proxy | 2024/10/16 08:17:48 [012] 200 [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/maven-metadata.xml](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/maven-metadata.xml)
updater | 2024/10/16 08:17:48 INFO <job_901927934> Filtered out 27 pre-release versions
updater | 2024/10/16 08:17:48 INFO <job_901927934> Filtered out 16 ignored versions
proxy | 2024/10/16 08:17:48 [016] HEAD [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar)
proxy | 2024/10/16 08:17:48 [016] 200 [https://repo.maven.apache.org:443/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar](https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.jar)
updater | 2024/10/16 08:17:48 INFO <job_901927934> Latest version is 2.0.0
updater | 2024/10/16 08:17:48 INFO <job_901927934> Pull request already exists for org.slf4j:slf4j-api with latest version 2.0.0
Result: The update to 1.7.36 is not offered.
@amazimbe
Smallest manifest that reproduces the issue
https://github.com/pzrep/dbot-semver-maven
@pzygielo this looks like a bug in the way the @dependabot command calculates the ignore range. It came up with >= 2.a, < 3 - but that should have been >= 2.a0, < 3. I'll work on a fix but in the meantime you can setup the ignore conditions in .github/dependabot.yml. Here is an example:
version: 2
updates:
- package-ecosystem: maven
directory: /
schedule:
interval: "daily"
time: "01:00"
timezone: "UTC"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major","version-update:semver-minor"]
groups:
dependencies:
patterns:
- "*"
target-branch: main
- I forked reproducer, and after ignoring major version in pzygielo/dbot-semver-maven#1 the next PR was pzygielo/dbot-semver-maven#2 as expected.
- https://github.com/pzygielo/dbot-semver-maven/actions/runs/11615834054/job/32347364997
Thank you.
First off, thanks for working to fix the "ignore major version" issue referred to at the start. I was directed here by @amazimbe from another issue I was replying to concerning this predicament (thanks again for linking, @amazimbe).
I've set up dependabot for our projects to trigger on Sunday. I, however, still have included major versions, while I have ignore-rules set for those through the issue comment section.
For reference, this is one of the automatically created dependabot PRs showing this behavior.
More concretely, I have a rule to ignore [>= 5.a, < 6] of the org.mockito:mockito-core dependency.
However, an upgrade of org.mockito:mockito-core to 5.0.0 is part of the referred pull request.
As they're perhaps helpful, here are the logs for this specific dependabot run: axonserver-connector-java_AxonIQ_dependabot-logs.json It is a "rebase" run, though.
I am thinking of two reasons why it might not work for me as expected:
- The fix is merged, but it is not yet active.
- Because it's a rebase run, it took the previous (incorrect) update of Mockito to 5.0.0 with it during the process.
A little bit of a nudge here, but I opened #10923 about two weeks ago as I am still faced with ignored major versions being included in the dependabot PR's I am receiving.
Any guidance on why this would still be happening to me while this issue has been resolved since the 18th of October would be very much appreciated! :pray:
A little bit of a nudge here, but I opened #10923 about two weeks ago as I am still faced with ignored major versions being included in the dependabot PR's I am receiving.
Any guidance on why this would still be happening to me while this issue has been resolved since the 18th of October would be very much appreciated! 🙏
Hi @smcvb
If you remove your current ignore conditions and then add them again it should work. You shouldn't see 5.a in the range anymore as that should be 5.a0
If you remove your current ignore conditions and then add them again it should work. You shouldn't see 5.a in the range anymore as that should be 5.a0
So a "fresh" rule set should do the trick. Thanks for sharing that, @amazimbe! I'll give it a try.