brettfo
commented
1 month ago Thanks for filing the issue. It'll require some investigation to see exactly what happened because the allow list in the dependabot.yml file should have prevented the System.Net.Http, etc. packages from even being attempted.
Is there an existing issue for this?
Package ecosystem
nuget
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
https://github.com/newrelic/newrelic-dotnet-agent/blob/main/.github/dependabot.yml#L28 -- refer to the the
nuget-testsgroup starting at line 28Updated dependency
No response
What you expected to see, versus what you actually saw
Observed behavor
We have an allow list that permits a small subset of Nuget packages to be updated.
On multiple occasions recently, the description in the PR created by Dependabot lists one or more "disallowed" packages as being included in the update, even though there are no changes to the actual manifest (
.csproj) files for the disallowed packages. Specific packages shown in the description includeSystem.Net.Http,System.Collections.Immutable,The PR itself updated exactly what it should have, based on the allow list; the issue is in the PR description itself.
Expected behavior
Disallowed packages should not appear in the description of Dependabot PRs
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Recent Dependabot PRs exhibiting this behavior:
https://github.com/newrelic/newrelic-dotnet-agent/pull/2746 https://github.com/newrelic/newrelic-dotnet-agent/pull/2780 Both of these list
System.Net.HttpandSytem.Collections.Immutablein the description, but there (correctly) not updated in the PR.https://github.com/newrelic/newrelic-dotnet-agent/pull/2702 -- this one listed a whole bunch of packages in the description, but the only package actually updated was
Microsoft.NET.Test.Sdk, which is on the allow list.Smallest manifest that reproduces the issue
No response