Open na1307 opened 2 weeks ago
Do you have a log file you could share? The dependabot.yml
doesn't contain any ignore conditions, so they must have been injected elsewhere and the full log should contain those details.
I ignored it using a dependabot ignore command. (#9916 and na1307/SimpleSixtarScorecard#5) I have a Dependabot Actions log, but I don't know which one to link to.
I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.
One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.
Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json
I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.
One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.
Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json
It seems different in my case. In my case, Dependabot ignores the dependency even though there is a newer version that is outside the ignored dependency version range. It seems to be the exact opposite of your case.
I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.
One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.
Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json
@smcvb I've responded on the closed PR but just to close the loop:
We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.
@smcvb I've responded on the closed PR but just to close the loop:
We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.
Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?
Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?
That's correct.
Thank you to everybody for the additional information.
As to the original issue of version 7.2.3
not getting selected, that is indeed a bug and will need some more investigation.
As for the other issues like 5.0.a
, that's an alternate syntax for a wildcard version. The short answer is that a single letter is treated as an asterisk *
, so 5.0.a
is interpreted as 5.0.*
which is why it matches 5.0.0
.
Is there an existing issue for this?
Package ecosystem
nuget
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/Directory.Packages.props
dependabot.yml content
https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/.github/dependabot.yml
Updated dependency
JsonSchema.Net
What you expected to see, versus what you actually saw
The dependency is marked as ignored for [>= 7.0.a, < 7.1], but dependabot ignores it even though the current latest version is 7.2.3.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response