dependabot
Dependabot does not consider ignore rule
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
nuget
Package manager version
No response
Language version
netstandard2.0
Manifest location and content before the Dependabot update
https://github.com/jscarle/AttributeSourceGenerator/blob/main/src/AttributeSourceGenerator/AttributeSourceGenerator.csproj
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.3.1" PrivateAssets="all"/>
<PackageReference Include="Microsoft.Bcl.HashCode" Version="1.1.1" PrivateAssets="all"/>
</ItemGroup>
dependabot.yml content
https://github.com/jscarle/AttributeSourceGenerator/blob/main/.github/dependabot.yml
version: 2
updates:
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
ignore:
- dependency-name: "Microsoft.CodeAnalysis.CSharp"
Updated dependency
Microsoft.CodeAnalysis.CSharp 4.3.1 => 4.9.2
What you expected to see, versus what you actually saw
Ignore should be respected and PR should not be opened.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/jscarle/AttributeSourceGenerator/pull/4
Smallest manifest that reproduces the issue
version: 2
updates:
- package-ecosystem: "nuget"
ignore:
- dependency-name: "Microsoft.CodeAnalysis.CSharp"
Investigating a bit, it looks like if no version ranges are specified like in your scenario, the core updater ends up passing the string ">= 0" which winds its way through and when we eventually do version range matching, that's not a valid NuGet version range, so it doesn't apply. The fix could be as simple as rewriting ">= 0" to "*", but the updater is currently undergoing a rewrite in C#.
