dependabot
Patterns not respected while grouping
Is there an existing issue for this?
- [x] I have searched the existing issues
Package ecosystem
nuget
Package manager version
dotnet sdk 8.0.408
Language version
No response
Manifest location and content before the Dependabot update
There are 3 projects in the repo:
-
/Stargate/Stargate.csproj
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<Platforms>AnyCPU;x64</Platforms>
<ApplicationIcon />
<OutputType>Exe</OutputType>
<StartupObject />
<ApplicationInsightsResourceId>/subscriptions/68044b6e-eeba-4581-90e3-d6d64c17e177/resourcegroups/Stargate/providers/microsoft.insights/components/Stargate</ApplicationInsightsResourceId>
<UserSecretsId>aeab2d18-8e3f-4d4d-80da-22e33b54faae</UserSecretsId>
<InvariantGlobalization>false</InvariantGlobalization>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AspNetCore.HealthChecks.Redis" Version="9.0.0" />
<PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="9.0.0" />
<PackageReference Include="AspNetCore.HealthChecks.Uris" Version="9.0.0" />
<PackageReference Include="Dapper" Version="2.1.66" />
<PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.23.0" />
<PackageReference Include="IdentityServer4.AccessTokenValidation" Version="3.0.1" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
<PackageReference Include="Ocelot" Version="24.0.0" />
<PackageReference Include="Ocelot.Provider.Polly" Version="24.0.0" />
<PackageReference Include="***.HealthChecks" Version="4.0.15" />
<PackageReference Include="StackExchange.Redis" Version="2.8.24" />
</ItemGroup>
<ItemGroup>
<WCFMetadata Include="Connected Services" />
</ItemGroup>
</Project>
-
/Stargate.UnitTests/Stargate.UnitTests.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<IsPackable>false</IsPackable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.13.0" />
<PackageReference Include="Moq" Version="4.20.72" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="coverlet.collector" Version="6.0.4">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Stargate\Stargate.csproj" />
</ItemGroup>
<ItemGroup>
<None Update="testsettings.json">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>
-
/Stargate.ApiTests/Stargate.ApiTests.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<OutputType>Library</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.13.0" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.5" />
<PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.5" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="9.0.5" />
</ItemGroup>
<ItemGroup>
<None Update="testsettings.json">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>
dependabot.yml content
version: 2
registries:
private:
type: nuget-feed
url: https://***.dev.azure.com/***/_packaging/***/nuget/v3/index.json
token: PAT:${{***}}
nuget:
type: nuget-feed
url: https://api.nuget.org/v3/index.json
updates:
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "daily"
registries:
- nuget
- private
groups:
testFrameworks:
patterns:
- "xunit*"
- "Microsoft.NET.Test.Sdk"
- "Moq"
- "coverlet.collector"
microsoftExtensions:
patterns:
- "Microsoft.Extensions*"
aspNetCore:
patterns:
- "AspNetCore*"
ocelot:
patterns:
- "Ocelot*"
- package-ecosystem: "docker"
directory: "/Stargate"
schedule:
interval: "daily"
Updated dependency
Bump the testFrameworks group with 6 updates
Performed the following updates:
Updated Microsoft.Extensions.Configuration from 9.0.5 to 9.0.6 in /Stargate.ApiTests/Stargate.ApiTests.csproj Updated Microsoft.Extensions.Configuration.EnvironmentVariables from 9.0.5 to 9.0.6 in /Stargate.ApiTests/Stargate.ApiTests.csproj Updated Microsoft.Extensions.Configuration.Json from 9.0.5 to 9.0.6 in /Stargate.ApiTests/Stargate.ApiTests.csproj Updated Microsoft.NET.Test.Sdk from 17.13.0 to 17.14.1 in /Stargate.ApiTests/Stargate.ApiTests.csproj Updated Microsoft.NET.Test.Sdk from 17.13.0 to 17.14.1 in /Stargate.UnitTests/Stargate.UnitTests.csproj Updated StackExchange.Redis from 2.8.24 to 2.8.41 in /Stargate/Stargate.csproj Updated xunit.runner.visualstudio from 3.0.2 to 3.1.1 in /Stargate.ApiTests/Stargate.ApiTests.csproj Updated xunit.runner.visualstudio from 3.0.2 to 3.1.1 in /Stargate.UnitTests/Stargate.UnitTests.csproj
What you expected to see, versus what you actually saw
Given that the pull request name starts with "Bump the testFrameworks group", I expect to see only packages matching the patterns from the testFrameworks group. But dependabot also include Microsoft.Extensions and StackExchange.Redis in the same PR.
I'm using dependabot v2 task in an AzDO pipeline.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Smallest manifest that reproduces the issue
No response
Just a quarter ago dependabot opened a new PR trying to bump dependencies belonging to two different groups (see this comment for details).
I have also noticed this with NPM packages. It seemed strange given that dependabot would open PRs for both groups of dependencies I have, but would seemingly randomly put some from one of the groups into the other. I am curious, though, if dependabot sees "In order to update dependency 1 from group A, I also need to update dependency 2 from group B" and thus pulls that into the same PR as a transient update.
Despite https://github.com/dependabot/dependabot-core/pull/12462 claiming to fix the present issue, the issue seems still active.
Just yesterday dependabot created a PR that bumps dependencies from a group other than the one mentioned in the PR title. The PR title says about 13 bumps, while in fact there are more. Details.
Not sure if related, but the last-week PR had a nice summary table and the relevant release notes gathered in the description, which the yesterday's PR description is lacking.
@brettfo Could you please have a look at it?
@DamianSawicki PR #12462 only applied to the NuGet updater because it has its own custom logic. All other update ecosystems (e.g., NPM, Go, etc.) use a common handler and I don't know as much about that, but I'll see if I can find somebody to investigate.
Hi @brettfo, thanks so much for your help! Please let me know if a separate ticket is needed.
Just yesterday dependabot created a https://github.com/kubernetes/dns/pull/710 that bumps dependencies from a group other than the one mentioned in the PR title. The PR title says about 13 bumps, while in fact there are more. https://github.com/kubernetes/dns/pull/710#issuecomment-2999716678.
Some of these bumped packages coming from another group are dependencies of packages from the relevant group as suggested by @OuranosSkia above, but not all of them. I added another comment to that PR with details.
On 16 June PR #12462 fixed some grouping problems. Does anybody have a PR from 17 June or later that shows the bad grouping logic?
As an aside, even with the grouping rules being applied, it's possible that other packages get updated at the same time due to the dependency solver fixing dependency conflicts that might pop up.
@brettfo Yes I still have PRs created with all updates grouped in a single pull request - the newest not even 24h old. Unfortunately it's all in private repos. I have not gotten ungrouped / multtiple pull requests for some weeks now.
The problem seems to be solved now. I ran my pipeline again and it made a PR named "Bump Microsoft.NET.Test.Sdk and xunit.runner.visualstudio". The content of the PR is updating only these two packages. Thank you for your help.
@Genmutant do your private repos exist on github.com or is this a hosted instance of GitHub Enterprise? If it's Enterprise, you'll likely need to update to get the latest NuGet updater. If it's hosted on github.com, you might need to close the bad PRs because the updater might be trying to refresh/rebase those instead of starting fresh.