dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago • verified publisher icon dependabot

Dependabot does no longer close unnecessary PRs automatically

Open mpdude opened this issue 3 years ago • 2 comments

When Dependabot creates a PR for a particular update, and that update happens on the target branch by other means (manual update, for example), Dependabot will not automatically recognize this and close the PR.

Commenting @dependabot rebase works in this case, the PR is recognized as being no longer necessary. This is, however, not a practical solution when a lot of PRs have been opened.

I've seen #3782 which is about automatically rebasing Dependabot PRs. This is, however, not exactly the same: I don't need the rebase per se, and it would be a waste of resources 🌱 to run the rebase and subsequent workflows for every push to the target branch.

#3782 also mentions that Dependabot Native would do an automatic rebase in case of merge conflicts for the PR. But, when the manual update and the PR update to the same version of a dependency, often there is no such merge conflict, since the relevant lines in the lockfile (yarn.lock, composer.lock, ...) are the same on the target and base branch.

Previous behavior in Dependabot Preview:

I have already migrated away from Dependabot Preview and so I cannot try it again, but I am relatively sure that Dependabot Preview would immediately notice pushes to the the target branch and react accordingly.

mpdude avatar Jun 10 '21 09:06 mpdude

If I may add on this, it happens for JS dependencies on many of my repos, but not for other languages (ex. PHP) where changes are detected and PRs are automatically closed correctly. As stated above, PRs are closed by issuing @dependabot rebase manually.

koichirose avatar Mar 18 '22 13:03 koichirose

Can anyone provide an example?

I have a hunch this is actually working as expected and "trying" to close the PR's, but runs into some other error when parsing certain lockfiles and then bombs out. That would explain why it works for some ecosystems but fails on others. The rebase command would force a rebase, probably skipping the codepath that is evaluating the changes/bombing out.

jeffwidman avatar Aug 09 '22 21:08 jeffwidman

Closing due to lack of response and suspicion there's another root cause.

jeffwidman avatar Nov 01 '22 06:11 jeffwidman