search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.65k stars 1k forks source link

Dependabot doesn't ignore an ignored dependency #10620

Open provegard opened 2 weeks ago

provegard commented 2 weeks ago

Is there an existing issue for this?

Package ecosystem

npm

Package manager version

npm 8

Language version

Node.js 18

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
    target-branch: "dependabot-updates"
  - package-ecosystem: "npm"
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
    target-branch: "dependabot-updates"
    ignore:
      # Vue 2.7.16 has a regression, stay on 2.7.15
      - dependency-name: "vue"
      - dependency-name: "vue-template-compiler"
      - dependency-name: "@vue/compiler-sfc"

Updated dependency

vue-template-compiler 2.7.15 -> 2.7.16

What you expected to see, versus what you actually saw

I expect dependabot to ignore vue-template-compiler 2.7.16, since it's ignored in the dependabot.yaml file. I have also tried various ways of specifying a version in dependabot.yaml, but nothing works.

Actual result: Dependabot tries to upgrade vue-template-compiler from 2.7.15 to 2.7.16.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

The PR is in a private repository.

image

Smallest manifest that reproduces the issue

No response

provegard commented 2 weeks ago

The dotnet:nuget label is wrong. Nuget is in the dependabot.yaml file, but so is npm, and the issue is about the npm ecosystem.