dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago verified publisher icon dependabot

Multi-directory support bug with go, terraform, docker

Open carlincherry opened this issue 9 months ago • 4 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Package ecosystem

go

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2089201858

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

carlincherry avatar May 03 '24 16:05 carlincherry

Thanks @carlincherry! You can see the config here https://github.com/nginxinc/nginx-gateway-fabric/blob/main/.github/dependabot.yml and the PR with only one update https://github.com/nginxinc/nginx-gateway-fabric/pull/1921

lucacome avatar May 03 '24 17:05 lucacome

This also happens in Terraform and Docker

carlincherry avatar May 03 '24 17:05 carlincherry

This is my dependabot configuration: https://github.com/ivanvc/etcd/blob/77b2dfdaedc602904b208d91127b7a4d9ed66be7/.github/dependabot.yml#L9-L23.

A good example of it failing is that it created two PRs for the same dependency:

  • https://github.com/ivanvc/etcd/pull/41
  • https://github.com/ivanvc/etcd/pull/40

In other instances, it created a single PR updating the dependency in a single location, rather than everywhere it is referenced:

https://github.com/ivanvc/etcd/pull/38

tests/go.mod
69:     github.com/gorilla/websocket v1.4.2 // indirect

server/go.mod
56:     github.com/gorilla/websocket v1.4.2 // indirect

go.mod
59:     github.com/gorilla/websocket v1.4.2 // indirect

ivanvc avatar May 03 '24 17:05 ivanvc

Now, it seems like dependabot stopped working with the configuration I provided. We're still getting dependabot PRs with the old configuration at etcd-io/etcd. But my fork (ivanvc/etcd), which has the new configuration, hasn't received any go-related version PR bumps.

The configuration seems to be valid as of https://github.com/ivanvc/etcd/commit/ad4baf002577477723f5292be5109802c30fc613: https://github.com/ivanvc/etcd/runs/24565853947. But there are no new PR in the last week: https://github.com/ivanvc/etcd/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot+label%3Ago

ivanvc avatar May 07 '24 16:05 ivanvc