Dependabot not ignoring major semver changes

[lcooper01]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

Docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "docker" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

Updated dependency

eclipse-temurin from 11.0.14.1_1-jre-alpine to 11.0.16.1_1-jre-alpine

What you expected to see, versus what you actually saw

Expected

eclipse-temurin from 11.0.14.1_1-jre-alpine to 11.0.16.1_1-jre-alpine

Actual

eclipse-temurin from 11.0.14.1_1-jre-alpine to 17.0.4_8-jre-alpine

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

  proxy | time="2022-09-20T15:23:11Z" level=info msg="proxy starting" commit=b031647dc5f52d8120800fc16337727989cb9be0
  proxy | 2022/09/20 15:23:11 Listening (:1080)
updater | 2022-09-20T15:23:11.959085124 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2022-09-20T15:23:12.024873453 [465689105:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2022-09-20T15:23:15Z" level=info msg="guest starting" commit=d97478b458e198f9b9a6cb546d902ee2e6651286
updater | time="2022-09-20T15:23:15Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=465689105 updater_timeout=45m0s updater_version=614fafdba436f058e32b92f1fc0a6ea940fe5c01
updater | I, [2022-09-20T15:23:18.755226 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
updater | INFO <job_465689105> Starting job processing
  proxy | 2022/09/20 15:23:24 [002] GET https://api.github.com:443/repos/elcoops99/test-dependabot
  proxy | 2022/09/20 15:23:24 [002] * authenticating github api request
  proxy | 2022/09/20 15:23:24 [002] 200 https://api.github.com:443/repos/elcoops99/test-dependabot
  proxy | 2022/09/20 15:23:24 [004] GET https://api.github.com:443/repos/elcoops99/test-dependabot/git/refs/heads/main
  proxy | 2022/09/20 15:23:24 [004] * authenticating github api request
  proxy | 2022/09/20 15:23:24 [004] 200 https://api.github.com:443/repos/elcoops99/test-dependabot/git/refs/heads/main
  proxy | 2022/09/20 15:23:24 [006] GET https://api.github.com:443/repos/elcoops99/test-dependabot/contents/?ref=6c206aa384501da277a6f9fe6fa43b369cb9c503
  proxy | 2022/09/20 15:23:24 [006] * authenticating github api request
  proxy | 2022/09/20 15:23:24 [006] 200 https://api.github.com:443/repos/elcoops99/test-dependabot/contents/?ref=6c206aa384501da277a6f9fe6fa43b369cb9c503
  proxy | 2022/09/20 15:23:24 [008] GET https://api.github.com:443/repos/elcoops99/test-dependabot/contents/Dockerfile?ref=6c206aa384501da277a6f9fe6fa43b369cb9c503
  proxy | 2022/09/20 15:23:24 [008] * authenticating github api request
  proxy | 2022/09/20 15:23:25 [008] 200 https://api.github.com:443/repos/elcoops99/test-dependabot/contents/Dockerfile?ref=6c206aa384501da277a6f9fe6fa43b369cb9c503
updater | INFO <job_465689105> Finished job processing
updater | time="2022-09-20T15:23:25Z" level=info msg="task complete" container_id=job-465689105-file-fetcher exit_code=0 job_id=465689105 step=fetcher
updater | I, [2022-09-20T15:23:26.921430 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
updater | INFO <job_465689105> Starting job processing
updater | INFO <job_465689105> Starting update job for elcoops99/test-dependabot
updater | INFO <job_465689105> Checking if eclipse-temurin 11.0.14.1_1-jre-alpine needs updating
updater | INFO <job_465689105> Ignored versions:
updater | INFO <job_465689105>   version-update:semver-major - from .github/dependabot.yml
  proxy | 2022/09/20 15:23:30 [012] GET https://registry.hub.docker.com:443/v2/library/eclipse-temurin/tags/list
  proxy | 2022/09/20 15:23:30 [012] 401 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/tags/list
  proxy | 2022/09/20 15:23:31 [014] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:31 [014] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:31 [016] GET https://registry.hub.docker.com:443/v2/library/eclipse-temurin/tags/list
  proxy | 2022/09/20 15:23:31 [016] 200 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/tags/list
  proxy | 2022/09/20 15:23:31 [018] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/latest
  proxy | 2022/09/20 15:23:31 [018] 401 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/latest
  proxy | 2022/09/20 15:23:31 [020] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:31 [020] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:31 [022] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/latest
  proxy | 2022/09/20 15:23:31 [022] 200 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/latest
  proxy | 2022/09/20 15:23:31 [024] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/18
  proxy | 2022/09/20 15:23:31 [024] 401 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/18
  proxy | 2022/09/20 15:23:32 [026] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:32 [026] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:32 [028] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/18
  proxy | 2022/09/20 15:23:32 [028] 200 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/18
updater | INFO <job_465689105> Latest version is 17.0.4_8-jre-alpine
  proxy | 2022/09/20 15:23:32 [030] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/11.0.14.1_1-jre-alpine
  proxy | 2022/09/20 15:23:32 [030] 401 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/11.0.14.1_1-jre-alpine
  proxy | 2022/09/20 15:23:32 [032] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:32 [032] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:32 [034] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/11.0.14.1_1-jre-alpine
  proxy | 2022/09/20 15:23:32 [034] 200 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/11.0.14.1_1-jre-alpine
  proxy | 2022/09/20 15:23:32 [036] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/17.0.4_8-jre-alpine
  proxy | 2022/09/20 15:23:32 [036] 401 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/17.0.4_8-jre-alpine
  proxy | 2022/09/20 15:23:32 [038] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:32 [038] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Feclipse-temurin%3Apull
  proxy | 2022/09/20 15:23:32 [040] HEAD https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/17.0.4_8-jre-alpine
  proxy | 2022/09/20 15:23:32 [040] 200 https://registry.hub.docker.com:443/v2/library/eclipse-temurin/manifests/17.0.4_8-jre-alpine
updater | INFO <job_465689105> Pull request already exists for eclipse-temurin with latest version 17.0.4_8-jre-alpine
updater | INFO <job_465689105> Finished job processing
updater | time="2022-09-20T15:23:33Z" level=info msg="task complete" container_id=job-465689105-updater exit_code=0 job_id=465689105 step=updater

Smallest manifest that reproduces the issue

FROM eclipse-temurin:11.0.14.1_1-jre-alpine as java11

[jeffwidman]

Background context here: https://github.com/dependabot/dependabot-core/issues/5728#issuecomment-1252489745

Your config looks correct to me to ignore major semver changes, so this looks like a bug, but unrelated to #5734.

Unfortunately this one doesn't have a lot of impacted users, so probably will take a bit to get to it.

If you want to help, try running the dry-run script locally (I highly suggest running within the docker container as explained in the readme section just above that). And then add some puts statements or even a breakpoint to step through and see whether the problem is that the code doesn't think it's a major version bump or if the code simply never guards against major version bumps...

Anything you can do to make it quicker for us to fix increases the chance we'll get to it. Also, feel free to put together a PR with a failing test case--you can see an example of how to create one for the docker ecosystem in #5734.

[lcooper01]

Hi @jeffwidman

I would love to help as much as I can but forgive me I have no prior experience in Ruby. However I have tried to add in a couple of puts statement where I think it's running an if statement to determine if any ignore conditions are set (in this block)

This resulted in the message outputting saying there are no ignore conditions present (log at the bottom).

def ignored_versions_for(dep)
  if $options[:ignore_conditions].any?
    puts "Ignore Conditions are present"
    ignore_conditions = $options[:ignore_conditions].map do |ic|
      Dependabot::Config::IgnoreCondition.new(
        dependency_name: ic["dependency-name"],
        versions: [ic["version-requirement"]].compact,
        update_types: ic["update-types"]
      )
    end
    Dependabot::Config::UpdateConfig.new(ignore_conditions: ignore_conditions).
      ignored_versions_for(dep, security_updates_only: $options[:security_updates_only])
  else
    puts "No ignore conditions present"
    $update_config.ignored_versions_for(dep)
  end
end

[dependabot-core-dev] ~/dependabot-core $ bin/dry-run.rb docker lcooper01/test-dependabot
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
=> fetching dependency files
=> dumping fetched dependency files: ./dry-run/lcooper01/test-dependabot/
=> parsing dependency files
=> updating 1 dependencies: eclipse-temurin
No ignore conditions present

=== eclipse-temurin (11.0.14.1_1-jre-alpine)
 => checking for updates 1/1
 => latest available version is 17.0.4_8-jre-alpine
 => latest allowed version is 17.0.4_8-jre-alpine
 => requirements to unlock: own
 => requirements update strategy: 
 => updating eclipse-temurin from 11.0.14.1_1-jre-alpine to 17.0.4_8-jre-alpine

    ± Dockerfile
    ~~~
    1c1
    < FROM eclipse-temurin:11.0.14.1_1-jre-alpine as java11
    ---
    > FROM eclipse-temurin:17.0.4_8-jre-alpine as java11
    ~~~
🌍 Total requests made: '0'

[deivid-rodriguez]

Hei @lcooper01!

Nice start of the investigation. Your conclusion is correct, dry-run.rb does not use ignore conditions by default, although you can pass them in a very cumbersome way, like this

IGNORE_CONDITIONS='[{"dependency-name":"*","update-types": ["version-update:semver-major"]}]' bin/dry-run.rb docker lcooper01/test-dependabot`

Happily using your sample repository I was able to identify the problem and I will open a PR shortly 🎉.

[lcooper01]

Great news, thanks @deivid-rodriguez

[deivid-rodriguez]

I completely forgot about this 🙏! Opened a PR to fix this now at #6115.

[lcooper01]

@deivid-rodriguez thanks so much for putting together the PR, do you know when its scheduled to be merged ?

[deivid-rodriguez]

I still want to try tweak it a bit to make it less invasive, will make it as ready after that and once it gets approved I'll merge it.

[guilhemferr]

just facing this same issue, any update you can give us @deivid-rodriguez?

[deivid-rodriguez]

Hei @guilhemferr. The PR was rebased and I decided that the original approach was good enough. It also got a review from @Nishnha, so I hope to ship it very soon!

[Bert-R]

@deivid-rodriguez Is this still on the radar? We really appreciate the work you did in #6115, but it is quiet for about a month now.

[deivid-rodriguez]

Yes @Bert-R, sorry for the delay there, it was a busy month for me. Trying to catch up now and shipping improvements like that one.

[deivid-rodriguez]

Finally got around shipping this. Please let me know if something unexpected comes up!

[Bert-R]

@deivid-rodriguez Thanks a lot! When can we expect to see this in production?

[deivid-rodriguez]

It already is!

[Bert-R]

Tested it and it works

[lcooper01]

I tested it and it works if you have one FROM statement in the dockerfile.

If you have the config for two images in the Dockerfile it will only pickup the first FROM and creates only one pr for the repo rather than 2.

[deivid-rodriguez]

@lcooper01 So Dependabot was creating two PRs to an incorrect version, while now it is creating just one PR to a correct version, is that it? Could you open a separate issue about this? If you can also create a sample repository, that'd be even more awesome!

[lcooper01]

I'll do that and link it here so anyone can track it whos interested

[lcooper01]

@deivid-rodriguez I've put together another issue and tried a few different scenarios that I've tried to document. If any of them aren't clear or need reproducing to show any additional logs etc then please let me know.

https://github.com/dependabot/dependabot-core/issues/6700