search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.68k stars 1.01k forks source link

Dependabot rebase/update for open group PR closes it #10790

Open jasonkaedingrhino opened 1 week ago

jasonkaedingrhino commented 1 week ago

Is there an existing issue for this?

Package ecosystem

pip

Package manager version

No response

Language version

Python 3.11

Manifest location and content before the Dependabot update

/requirements.txt

dependabot.yml content

https://github.com/jasonkaedingrhino/dependabot-pip-test/blob/master/.github/dependabot.yml

Updated dependency

Previous:

langchain==0.3.1
langchain_openai==0.2.1

Open PR updatee:

langchain==0.3.3
langchain_openai==0.2.2

What you expected to see, versus what you actually saw

The PR was already open. I used @dependabot rebase to request a rebase. Then, dependabot closed the PR. No "superseded" message.

The dependabot update logs show the problem. It begins checking the langchain group but then says it has already been handled by a previous group

I am aware of other bugs with groups regarding alphabetical order vs array order as specified in the documentation. However, in this case my only other group name library-patches is both 2nd in the array order and also 2nd in alphabetical order, meaning that this langchain group would seem to always be processed first.

There is also a very similar issue open #9845 but that is with Poetry, this uses pip instead. And, also, in that case no PR is created, whereas here the PR is created properly but then later a rebase closes it.

I understand that a "workaround" suggestion might be to try to re-open the PR. However, I want to leave it alone for troubleshooting. I tried to do this with a previous patch version bump, but then dependabot closed the PR immediately again.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

updater | 2024/10/15 13:17:26 INFO <job_901354551> Starting PR update job for jasonkaedingrhino/dependabot-pip-test
2024/10/15 13:17:26 INFO <job_901354551> Updating the 'langchain' group
updater | 2024/10/15 13:17:26 INFO <job_901354551> Updating the / directory.
updater | 2024/10/15 13:17:26 INFO <job_901354551> Skipping langchain as it has already been handled by a previous group
2024/10/15 13:17:26 INFO <job_901354551> Skipping langchain-openai as it has already been handled by a previous group
updater | 2024/10/15 13:17:26 INFO <job_9013545[51](https://github.com/jasonkaedingrhino/dependabot-pip-test/actions/runs/11346861846/job/31556899325#step:3:53)> No updated dependencies, closing existing Pull Request
updater | 2024/10/15 13:17:26 INFO <job_901354551> Telling backend to close pull request for the langchain group (langchain, langchain-openai) - update no longer possible
  proxy | 2024/10/15 13:17:26 [015] POST /update_jobs/901354551/close_pull_request
  proxy | 2024/10/15 13:17:26 [015] 204 /update_jobs/9013[54](https://github.com/jasonkaedingrhino/dependabot-pip-test/actions/runs/11346861846/job/31556899325#step:3:56)551/close_pull_request
  proxy | 2024/10/15 13:17:26 [017] PATCH /update_jobs/901354[55](https://github.com/jasonkaedingrhino/dependabot-pip-test/actions/runs/11346861846/job/31556899325#step:3:57)1/mark_as_processed
  proxy | 2024/10/15 13:17:26 [017] 204 /update_jobs/901354551/mark_as_processed
updater | 2024/10/15 13:17:26 INFO <job_901354551> Finished job processing
updater | 2024/10/15 13:17:26 INFO Results:
+----------------------------------------------------------------+
|              Changes to Dependabot Pull Requests               |
+-----------------------------------+----------------------------+
| closed: update_no_longer_possible | langchain,langchain-openai |
+-----------------------------------+----------------------------+

Smallest manifest that reproduces the issue

https://github.com/jasonkaedingrhino/dependabot-pip-test/blob/master/.github/dependabot.yml

This is already the "smallest" version relative to what exists in a private repo. The private repo also points to a private package registry, whereas this one shows the problem even with public PyPI.

jasonkaedingrhino commented 1 week ago

Similar behavior in #10019 also

jasonkaedingrhino commented 1 week ago

I did no other human actions, and it looks like the daily dependabot run ended up closing the other PR (for library-patches group) and then created a new PR with the langchain items + the non-langchain items. This effectively looks like it ignored the group definitions entirely.

Dependabot job history shows two runs at this time. One is for "Rebase update" and log output is as follows. 

updater | 2024/10/15 21:14:13 INFO <job_901574470> Starting PR update job for jasonkaedingrhino/dependabot-pip-test
2024/10/15 21:14:13 INFO <job_901574[47](https://github.com/jasonkaedingrhino/dependabot-pip-test/runs/31581810299?check_suite_focus=true#step:3:49)0> Updating the 'library-patches' group

...

updater | 2024/10/15 21:14:23 INFO <job_901574470> Telling backend to close pull request for the library-patches group (pandas) - dependencies changed

...

updater | 2024/10/15 21:14:34 INFO <job_901574470> Finished job processing
updater | 2024/10/15 21:14:34 INFO Results:
+--------------------------------------------------------------------------------------------------------------------------------------------+
|                                                    Changes to Dependabot Pull Requests                                                     |
+------------------------------+-------------------------------------------------------------------------------------------------------------+
| closed: dependencies_changed | pandas                                                                                                      |
| created                      | langchain ( from 0.3.1 to 0.3.3 ), langchain-openai ( from 0.2.1 to 0.2.2 ), pandas ( from 2.2.1 to 2.2.3 ) |
+------------------------------+-------------------------------------------------------------------------------------------------------------+

There is a second run called "Version update" with logs as follows. Note the group processing is in reverse order here:

updater | 2024/10/15 21:14:14 INFO <job_901574467> Starting grouped update job for jasonkaedingrhino/dependabot-pip-test
2024/10/15 21:14:14 INFO <job_901574467> Found 2 group(s).
updater | 2024/10/15 21:14:14 INFO <job_901574467> Detected existing pull request for 'library-patches'.
2024/10/15 21:14:14 INFO <job_901574467> Deferring creation of a new pull request. The existing pull request will update in a separate job.
updater | 2024/10/15 21:14:14 INFO <job_901574467> Starting update group for 'langchain'
updater | 2024/10/15 21:14:14 INFO <job_901574467> Updating the / directory.
updater | 2024/10/15 21:14:14 INFO <job_901574467> Skipping langchain as it has already been handled by a previous group
2024/10/15 21:14:14 INFO <job_901574467> Skipping langchain-openai as it has already been handled by a previous group
updater | 2024/10/15 21:14:14 INFO <job_901574467> Nothing to update for Dependency Group: 'langchain'
updater | 2024/10/15 21:14:14 INFO <job_901574467> Starting update job for jasonkaedingrhino/dependabot-pip-test
updater | 2024/10/15 21:14:14 INFO <job_901574467> Checking all dependencies for version updates...