dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Dependabot won't update dependency due to closed PR, but PR can't be reopened

Open colatkinson opened this issue 1 year ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

Docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

If possible I'd like to avoid posting internal code. However the relevant bit of /Dockerfile is

FROM gcr.io/distroless/nodejs20-debian11:debug-nonroot@sha256:61ab5c263ca889340f2eca258f56b874ae0f82dec37222dda22e12f446441648

dependabot.yml content

Sections for other package ecosystems have been omitted for brevity:

version: 2
updates:
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

Original PR: From: gcr.io/distroless/nodejs20-debian11:debug-nonroot@sha256:1d4f76504fc495f074c86db1804c3a8325421d8dfa6e79680b2ad4a7ba8d646d To: gcr.io/distroless/nodejs20-debian11:debug-nonroot@sha256:61ab5c263ca889340f2eca258f56b874ae0f82dec37222dda22e12f446441648

Expected behavior now: From: gcr.io/distroless/nodejs20-debian11:debug-nonroot@sha256:61ab5c263ca889340f2eca258f56b874ae0f82dec37222dda22e12f446441648 To: gcr.io/distroless/nodejs20-debian11:debug-nonroot@sha256:10f36db40ca171cd929d90769531ccc39ad41116828f770b075aa67a1360d82f

What you expected to see, versus what you actually saw

Per the documentation and comments on #2024, if a Dependabot PR is closed, it will not open a new PR for that same version.

This causes issues with Docker images when the image digest changes but the tag version does not. Consider e.g. Google's distroless images, which always reuse tags such as gcr.io/distroless/nodejs20-debian11:nonroot -- updating by digest is the intended usage.

The normal workaround for this is to reopen the PR, at which point Dependabot will resume updating that dependency. However, the old PR may not necessarily be reopenable. Consider the following case:

  1. Dependabot opens a PR to bump package xyz.
  2. A developer realizes that additional changes need to be made in concert with the bump, and so creates another branch containing these changes.
    1. Note that in this case, the exact commit from the Dependabot PR is present in the new branch.
  3. The developer includes a comment in the manual PR "Closes #XYZ."
  4. Manual PR merges, and the dependabot PR is marked as closed automatically by Github because of the comment.
  5. Attempt to reopen the dependabot PR, but Github blocks this because "the commits are already merged."

I haven't been able to figure out a way around this, so for now we've just been doing updates manually. Any advice for a more convenient workaround would be welcome!

Also please let me know if this is something specific to the Github integrated version and we can instead raise the issue with support.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

colatkinson avatar Feb 09 '24 19:02 colatkinson