dependabot-core
dependabot-core copied to clipboard
dependabot
Make Dependabot respect Symfony Flex's "extra.symfony.require" setting
Symfony Flex has a feature that allows you to force a version constraint for all Symfony components (even for ones not explicitly defined in user's composer.json):
"extra": {
"symfony": {
"require": "5.4.*"
}
}
This is really useful when Symfony is used as a full-stack framework because it ensures that all components get pinned to the exact same version.
It works great when a developer is manually updating packages (e.g. composer update 'symfony/*' -W).
The problem arises when Dependabot decides to update a dependency that depends on Symfony components. In Dependabot's default configuration, transitive dependencies will get updated as well. This can lead to a project that requires a specific version of Symfony have a mix of different component versions if it lags behind the latest available major version (e.g. a combination of 5.4 and 6.0 components). When this happens, a developer has to manually update packages again (with Composer that has the Symfony Flex plugin loaded) in order to restore the desired component versions.
Would it be possible to bundle Symfony Flex with Dependabot so it's aware of the extra.symfony.require setting?
We are facing the same issue, not a problem per se, but lately MRs start to fail because this "mixed-bag" becomes more and more unstable.
I'm a bit hesitant to bundle Symfony Flex by default, as we've hit the generic "versions of multiple packages must be upgraded together" problem in multiple ecosystems.
There's a lot of use cases, all slight variations, so rather than Dependabot being smart about it, the easiest thing is if offered some way to specify manual grouping... ie, you as a user say "this group of dependencies must always bump in lockstep".
One tricky bit is that some groups have to always be updated as a group but the versions may be different, and others bump as a group but the versions must also bump in lockstep.
And also if Symfony adds a new subpackage, you'd have to notice and manually add it to the specified list of "must-be-updated-together".
But as an idea it would solve a whole class of problems across multiple ecosystems.
I'll mention it to the team as a product roadmap idea, no promises about whether it ships or not.
For an immediate workaround, you could run a custom GitHub action... a total kludge, but could be implemented today w/o requiring any changes in dependabot-core... basically just have an action that watches for PR's that don't match certain criteria and auto-close those.
@jeffwidman Thanks for the reply! A generic "versions of multiple packages must be upgraded together" solution would be great! It would help with a couple of other dependencies too :).
That's tracked at:
- #1296
For now, I'll leave this open, because now that we've broken up the docker images per ecosystem, it might not be such a big overhead to eventually bundle Symfony into the PHP image since it's quite popular there. But will hold off on that for a little while at least.
Update: We've started doing some grouped updates work! This particular issue might not be part of the first ship but if you want to track our updates, do follow #1190.
Following up; can you use the grouping feature to achieve this?
Partially, I think. I have a working solution, where I have to make a major or minor update myself, but patch update are made automatically as a group - if available.
version: 2
updates:
- package-ecosystem: "composer" # See documentation for possible values
directory: "/" # Location of package manifests
open-pull-requests-limit: 10
allow:
# Allow both direct and indirect updates for all packages
- dependency-type: "all"
ignore:
- dependency-name: "symfony/*"
update-types: ["version-update:semver-major", "version-update:semver-minor"]
groups:
symfony:
patterns:
- "symfony/*"
twig:
patterns:
- "twig/*"
