dependabot
Unknown metadata version: 2.4
Is there an existing issue for this?
- [x] I have searched the existing issues
Package ecosystem
pip
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
content of the only file in /pyproject.toml
[tool.poetry]
name = "test"
package-mode = false
[tool.poetry.dependencies]
python = "^3.12"
twilio = "9.4.6"
sendgrid = "6.11.0"
[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"
poetry.lockgenerated withpoetry install
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Command used:
docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=pip -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=1 -e AZURE_ORGANIZATION=$AZURE_ORGANIZATION -e AZURE_PROJECT=$AZURE_PROJECT -e AZURE_REPOSITORY=$AZURE_REPOSITORY -e AZURE_ACCESS_TOKEN=$AZURE_ACCESS_TOKEN ghcr.io/tinglesoftware/dependabot-updater-pip:1.45 update_script
Error log:
warning: parser/current is loading parser/ruby33, which recognizes 3.3.7-compliant syntax, but you are running 3.3.1.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
Using 'https://dev.azure.com:443/' as API endpoint
Pull Requests shall be linked to milestone (work item) 0
Working in $AZURE_ORGANIZATION/$AZURE_PROJECT/_git/test-fail-dependabot, 'default' branch under '/' directory
Cloning repository into /home/dependabot/dependabot-updater/tmp/$AZURE_ORGANIZATION/$AZURE_PROJECT/_git/test-fail-dependabot
Found 2 dependency file(s) at commit 94408a8d1a49f9031a3bc901c00b5193004e46cc
- /pyproject.toml
- /poetry.lock
Parsing dependencies information
Found 2 dependencies
- twilio (9.4.6)
- sendgrid (6.11.0)
🌍 --> GET https://dev.azure.com/$AZURE_ORGANIZATION/_apis/connectionData
🌍 <-- 200 https://dev.azure.com/$AZURE_ORGANIZATION/_apis/connectionData
🌍 --> GET https://dev.azure.com/$AZURE_ORGANIZATION/$AZURE_PROJECT/_apis/git/repositories/test-fail-dependabot
🌍 <-- 200 https://dev.azure.com/$AZURE_ORGANIZATION/$AZURE_PROJECT/_apis/git/repositories/test-fail-dependabot
🌍 --> GET https://dev.azure.com/$AZURE_ORGANIZATION/$AZURE_PROJECT/_apis/git/repositories/test-fail-dependabot/pullrequests?api-version=7.1&searchCriteria.status=active&searchCriteria.creatorId=d7a6f031-8553-6714-a4c0-6e707d2c354d&searchCriteria.targetRefName=refs/heads/master
🌍 <-- 200 https://dev.azure.com/$AZURE_ORGANIZATION/$AZURE_PROJECT/_apis/git/repositories/test-fail-dependabot/pullrequests?api-version=7.1&searchCriteria.status=active&searchCriteria.creatorId=d7a6f031-8553-6714-a4c0-6e707d2c354d&searchCriteria.targetRefName=refs/heads/master
Checking if twilio 9.4.6 needs updating
🌍 --> GET https://pypi.org/simple/twilio/
🌍 <-- 200 https://pypi.org/simple/twilio/
I, [2025-04-07T09:57:31.163266 #6] INFO -- : Filtered out 8 yanked versions
I, [2025-04-07T09:57:31.164426 #6] INFO -- : Filtered out 47 pre-release versions
🌍 --> GET https://pypi.org/pypi/test/json/
🌍 <-- 301 https://pypi.org/pypi/test/json/
🌍 --> GET https://pypi.org/pypi/test/json
🌍 <-- 404 https://pypi.org/pypi/test/json
W, [2025-04-07T09:57:42.955822 #6] WARN -- : Creating virtualenv test-CcSZQjlm-py3.12 in /home/dependabot/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...
/usr/local/.pyenv/versions/3.12.5/lib/python3.12/site-packages/pkginfo/distribution.py:175: NewMetadataVersion: New metadata version (2.4) higher than latest supported version: parsing as 2.3
warnings.warn(NewMetadataVersion(self.metadata_version))
Unknown metadata version: 2.4
Error working on updates for twilio 9.4.6 (continuing)
/home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/shared_helpers.rb:463:in `run_shell_command': Creating virtualenv test-CcSZQjlm-py3.12 in /home/dependabot/.cache/pypoetry/virtualenvs (Dependabot::SharedHelpers::HelperSubprocessFailed)
Updating dependencies
Resolving dependencies...
/usr/local/.pyenv/versions/3.12.5/lib/python3.12/site-packages/pkginfo/distribution.py:175: NewMetadataVersion: New metadata version (2.4) higher than latest supported version: parsing as 2.3
warnings.warn(NewMetadataVersion(self.metadata_version))
Unknown metadata version: 2.4
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:179:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:179:in `validate_call_skip_block_type'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:121:in `block in create_validator_slow_skip_block_type'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker/poetry_version_resolver.rb:329:in `run_poetry_command'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker/poetry_version_resolver.rb:167:in `run_poetry_update_command'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker/poetry_version_resolver.rb:103:in `block (2 levels) in fetch_latest_resolvable_version_string'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/shared_helpers.rb:290:in `with_git_configured'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:203:in `block in create_validator_slow'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker/poetry_version_resolver.rb:93:in `block in fetch_latest_resolvable_version_string'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/shared_helpers.rb:81:in `block in in_a_temporary_directory'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/shared_helpers.rb:81:in `chdir'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/shared_helpers.rb:81:in `in_a_temporary_directory'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:203:in `block in create_validator_slow'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker/poetry_version_resolver.rb:92:in `fetch_latest_resolvable_version_string'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker/poetry_version_resolver.rb:65:in `latest_resolvable_version'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.285.0/lib/dependabot/python/update_checker.rb:44:in `latest_resolvable_version'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/update_checkers/base.rb:127:in `preferred_resolvable_version'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/update_checkers/base.rb:344:in `preferred_version_resolvable_with_unlock?'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/update_checkers/base.rb:335:in `numeric_version_can_update?'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/update_checkers/base.rb:278:in `version_can_update?'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-common-0.285.0/lib/dependabot/update_checkers/base.rb:94:in `can_update?'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `bind_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/call_validation.rb:282:in `validate_call'
from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/sorbet-runtime-0.5.11911/lib/types/private/methods/_methods.rb:277:in `block in _on_method_added'
from bin/update_script.rb:613:in `block in <main>'
from bin/update_script.rb:563:in `each'
from bin/update_script.rb:563:in `<main>'
Checking if sendgrid 6.11.0 needs updating
🌍 --> GET https://pypi.org/simple/sendgrid/
🌍 <-- 200 https://pypi.org/simple/sendgrid/
I, [2025-04-07T09:57:43.136579 #6] INFO -- : Filtered out 4 pre-release versions
No update needed for sendgrid 6.11.0
Done
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
I needed to update dependabot's internal version to make it works:
Dockerfile:
FROM ghcr.io/tinglesoftware/dependabot-updater-pip:1.45
RUN /usr/local/.pyenv/versions/3.12.5/bin/pip install pkginfo==1.12.1.2
@vincentfenet and @ishaan-mehta I am unable reproduce the same on this repo: https://github.com/dsp-testing/poetry-unknown-metadata-test/actions/runs/15465003424/job/43534937232
could you please let me know, that Am I missing anything?
Incase this is only related to GHE 3.15.6 why can't we follow this https://docs.github.com/en/[email protected]/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom
Hi @thavaahariharangit — thanks for the response!
We already tried the actions-sync tool, but Dependabot ended up using the same action version (based on the SHA at the beginning of the workflow run).
And it is not limited to just GHES 3.15.6, as I just re-tried auto-creating a PR after an upgrade to 3.16.3 and we are seeing the same issue.
@ishaan-mehta When did you last try this? I recently updated the tags, so it should be working as expected now: https://github.com/github/dependabot-action/tags
Could you test it again and let me know the outcome please?
Hi @thavaahariharangit, we applied the sync last week. After that, we tested on both 3.15.6 and 3.16.3 (on Thursday for 3.15.6 and today for 3.16.3).
On last week's run (GHES 3.15.6), I saw it pull SHA 26f44b83a818f500a324ca4377e87760b84a6f7c, which corresponds to https://github.com/github/dependabot-action/releases/tag/v2.19.0.
On today's run (GHES 3.16.3), I am seeing it pull SHA 11f63a96f22fdc1a4e967428ff6a322838a3ff7b, which corresponds to https://github.com/github/dependabot-action/releases/tag/v2.21.0.
It seems like actions-sync is not properly updating the version of dependabot-action that is used.
@ishaan-mehta
Yes you are right, If actions-sync runs properly then Both tags https://github.com/github/dependabot-action/releases/tag/ghes-3.16 https://github.com/github/dependabot-action/releases/tag/ghes-3.15
should be pointing to release v2.27.0 https://github.com/github/dependabot-action/releases/tag/v2.27.0
Instructions provided here: https://docs.github.com/en/[email protected]/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect
Closing w.r.t to the above comments. Can be reopened if issue is reproducible.
