dependabot
feat: Parse versions from metadata links
Dependabot PRs that update a single dependency include version details in the commit message introduction, e.g.,
"Bumps
<dependency>from<prevVersion>to<newVersion>."
This is the format generated by the commit_message_intro method in Dependabot Core.
However, when multiple dependencies are updated in a single PR, this format isn't used, which limits the action’s ability to extract accurate version information.
This change improves version parsing for multi-dependency PRs by introducing two additional detection strategies:
-
YAML metadata parsing Dependabot includes a YAML block in the commit message with structured details for each updated dependency:
updated-dependencies: - dependency-name: commons-codec:commons-codec dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: non-breakingThis is the most reliable and stable source for the new version of each dependency, though it does not include the previous version.
-
Metadata links parsing In multi-dependency updates, Dependabot also appends “metadata links” with a format like:
"Updates
<dependencyName>from<prevVersion>to<newVersion>"These lines are generated bythe
metadata_linksmethod and provide both the old and new versions.
By combining these sources, the action now supports version parsing for PRs with multiple updated dependencies—broadening its coverage and improving reliability.
Closes #402
Hi @jeffwidman,
Just a gentle reminder about this PR. Since we switched to compulsory reviews, handling Dependabot PRs (which previously merged automatically with changelog entries) has become more time-consuming. This change (along with apache/logging-parent#419) is part of the approach we devised to streamline things by grouping updates and reviewing them as a single PR.
Would you have an idea when this might be merged and included in a release?
Thanks!
