Dependabot ignores dependencies even if they have a higher version than the ignored version.

[na1307]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/Directory.Packages.props

dependabot.yml content

https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/.github/dependabot.yml

Updated dependency

JsonSchema.Net

What you expected to see, versus what you actually saw

The dependency is marked as ignored for [>= 7.0.a, < 7.1], but dependabot ignores it even though the current latest version is 7.2.3.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[brettfo]

Do you have a log file you could share? The dependabot.yml doesn't contain any ignore conditions, so they must have been injected elsewhere and the full log should contain those details.

[na1307]

I ignored it using a dependabot ignore command. (#9916 and na1307/SimpleSixtarScorecard#5) I have a Dependabot Actions log, but I don't know which one to link to.

[smcvb]

I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.

One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.

Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json

[na1307]

I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.

One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.

Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json

It seems different in my case. In my case, Dependabot ignores the dependency even though there is a newer version that is outside the ignored dependency version range. It seems to be the exact opposite of your case.

[amazimbe]

I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.

One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.

Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json

@smcvb I've responded on the closed PR but just to close the loop:

We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.

[smcvb]

@smcvb I've responded on the closed PR but just to close the loop:

We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.

Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?

[amazimbe]

Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?

That's correct.

[brettfo]

Thank you to everybody for the additional information.

As to the original issue of version 7.2.3 not getting selected, that is indeed a bug and will need some more investigation.

As for the other issues like 5.0.a, that's an alternate syntax for a wildcard version. The short answer is that a single letter is treated as an asterisk *, so 5.0.a is interpreted as 5.0.* which is why it matches 5.0.0.