Closed valentijnscholten closed 4 years ago
This is what I sent to them:
HI,
We are using dependabot and it works fine most of the time. But currently we see what we believe to be a bug.
Earlier this year we got a PR from dependabot to update jquery rfom 3.4.1 to 3.5.0.
But jquery 3.5.0 had breaking changes, so we wanted to skip 3.5.0. So we used
@dependabot close
there was no suitable ignore option as we didn't want to ignore 3.x.x and didn't want to ignore 3.5.x and dependabot doesn't allow to ignore a specific patch version. so we just closed the PR.
However, now that jquery 3.5.1 is out for a while we should get a PR for that from dependabot. But we don't.
In the logs I can see that dependabot see 3.5.1 as latest version, but it seems to skip it because there is already a PR for 3.5.0?
updater | INFO <job_45257903> Starting job processing
updater | INFO <job_45257903> Starting update job for DefectDojo/django-DefectDojo
updater | INFO <job_45257903> Checking if jquery 3.4.1 needs updating
proxy | 2020/08/27 18:41:01 [004] GET https://registry.npmjs.org:443/jquery
proxy | 2020/08/27 18:41:01 [004] 200 https://registry.npmjs.org:443/jquery
proxy | 2020/08/27 18:41:01 [006] GET https://registry.npmjs.org:443/jquery/3.5.1
proxy | 2020/08/27 18:41:01 [006] 200 https://registry.npmjs.org:443/jquery/3.5.1
updater | INFO <job_45257903> Latest version is 3.5.1
proxy | 2020/08/27 18:41:01 [008] GET https://registry.npmjs.org:443/jquery/3.5.0
updater | INFO <job_45257903> Requirements to unlock own
updater | INFO <job_45257903> Requirements update strategy bump_versions
updater | INFO <job_45257903> Pull request already exists for jquery@3.5.0
Two issues with that:
1) that PR is closed so it should create a new one
2) that PR is for 3.5.0 and we now have 3.5.1 available so even if there already is an existing (open or closed) PR it should create a new PR?
Or are we missing something?
Valentijn
Logs: https://app.dependabot.com/accounts/DefectDojo/update-logs/45257903
PR: https://github.com/DefectDojo/django-DefectDojo/pull/2416
Repo: https://github.com/DefectDojo/django-DefectDojo
our config seems fine, nothing states to ignore anything jquery:
Applied config from .dependabot/config.yml:
---
update_configs:
- directory: "/components"
package_manager: javascript
target_branch: dev
update_schedule: live
In addition, the following defaults have been applied:
---
allowed_updates:
- match:
update_type: all
dependency_type: direct
- match:
update_type: security
dependency_type: indirect
automerged_updates: []
default_assignees: []
default_labels:
- dependencies
- javascript
default_reviewers: []
ignored_updates:
- match:
dependency_name: bootstrap
version_requirement: ">= 4.a, < 5"
- match:
dependency_name: bootstrap-social
version_requirement: ">= 5.a, < 6"
- match:
dependency_name: bootswatch
version_requirement: ">= 4.a, < 5"
- match:
dependency_name: chosen
version_requirement: ">= 1.a, < 2"
- match:
dependency_name: drmonty-datatables-responsive
version_requirement: ">= 2.a, < 3"
- match:
dependency_name: flot
version_requirement: ">= 2.a, < 3"
- match:
dependency_name: flot
version_requirement: ">= 3.a, < 4"
- match:
dependency_name: flot
version_requirement: ">= 4.a, < 5"
- match:
dependency_name: fullcalendar
version_requirement: ">= 5.a, < 6"
- match:
dependency_name: startbootstrap-sb-admin-2
version_requirement: ">= 3.a, < 4"
- match:
dependency_name: startbootstrap-sb-admin-2
version_requirement: ">= 4.a, < 5"
- match:
dependency_name: "@yarn_components/font-awesome"
version_requirement: "!! 0d1f27efb836eb2ab994ba37221849ed64a73e5c"
version_requirement_updates: auto
after some messing around dependabot is working again for jquery: #2829
jQuery is lagging behind a bit at 3.5.1 due to dependabot not offering 3.5.1 to us in a PR. We skipped 3.5.0 in https://github.com/DefectDojo/django-DefectDojo/pull/2416 I have filed a bug report with dependabot, so let's wait a bit to see their response. I'd like to help them fix it. Or get educated on what we're missing :-) The update is not urgent, so we can afford to wait. It would also help us to see it fixed and test it so we can start trusting depandabot again :-)