Open jasonkaedingrhino opened 1 week ago
Similar behavior in #10019 also
I did no other human actions, and it looks like the daily dependabot run ended up closing the other PR (for library-patches
group) and then created a new PR with the langchain items + the non-langchain items. This effectively looks like it ignored the group definitions entirely.
Dependabot job history shows two runs at this time. One is for "Rebase update" and log output is as follows.
updater | 2024/10/15 21:14:13 INFO <job_901574470> Starting PR update job for jasonkaedingrhino/dependabot-pip-test
2024/10/15 21:14:13 INFO <job_901574[47](https://github.com/jasonkaedingrhino/dependabot-pip-test/runs/31581810299?check_suite_focus=true#step:3:49)0> Updating the 'library-patches' group
...
updater | 2024/10/15 21:14:23 INFO <job_901574470> Telling backend to close pull request for the library-patches group (pandas) - dependencies changed
...
updater | 2024/10/15 21:14:34 INFO <job_901574470> Finished job processing
updater | 2024/10/15 21:14:34 INFO Results:
+--------------------------------------------------------------------------------------------------------------------------------------------+
| Changes to Dependabot Pull Requests |
+------------------------------+-------------------------------------------------------------------------------------------------------------+
| closed: dependencies_changed | pandas |
| created | langchain ( from 0.3.1 to 0.3.3 ), langchain-openai ( from 0.2.1 to 0.2.2 ), pandas ( from 2.2.1 to 2.2.3 ) |
+------------------------------+-------------------------------------------------------------------------------------------------------------+
There is a second run called "Version update" with logs as follows. Note the group processing is in reverse order here:
updater | 2024/10/15 21:14:14 INFO <job_901574467> Starting grouped update job for jasonkaedingrhino/dependabot-pip-test
2024/10/15 21:14:14 INFO <job_901574467> Found 2 group(s).
updater | 2024/10/15 21:14:14 INFO <job_901574467> Detected existing pull request for 'library-patches'.
2024/10/15 21:14:14 INFO <job_901574467> Deferring creation of a new pull request. The existing pull request will update in a separate job.
updater | 2024/10/15 21:14:14 INFO <job_901574467> Starting update group for 'langchain'
updater | 2024/10/15 21:14:14 INFO <job_901574467> Updating the / directory.
updater | 2024/10/15 21:14:14 INFO <job_901574467> Skipping langchain as it has already been handled by a previous group
2024/10/15 21:14:14 INFO <job_901574467> Skipping langchain-openai as it has already been handled by a previous group
updater | 2024/10/15 21:14:14 INFO <job_901574467> Nothing to update for Dependency Group: 'langchain'
updater | 2024/10/15 21:14:14 INFO <job_901574467> Starting update job for jasonkaedingrhino/dependabot-pip-test
updater | 2024/10/15 21:14:14 INFO <job_901574467> Checking all dependencies for version updates...
Is there an existing issue for this?
Package ecosystem
pip
Package manager version
No response
Language version
Python 3.11
Manifest location and content before the Dependabot update
/requirements.txt
dependabot.yml content
https://github.com/jasonkaedingrhino/dependabot-pip-test/blob/master/.github/dependabot.yml
Updated dependency
Previous:
Open PR updatee:
What you expected to see, versus what you actually saw
The PR was already open. I used
@dependabot rebase
to request a rebase. Then, dependabot closed the PR. No "superseded" message.The dependabot update logs show the problem. It begins checking the
langchain
group but then saysit has already been handled by a previous group
I am aware of other bugs with groups regarding alphabetical order vs array order as specified in the documentation. However, in this case my only other group name
library-patches
is both 2nd in the array order and also 2nd in alphabetical order, meaning that thislangchain
group would seem to always be processed first.There is also a very similar issue open #9845 but that is with Poetry, this uses pip instead. And, also, in that case no PR is created, whereas here the PR is created properly but then later a rebase closes it.
I understand that a "workaround" suggestion might be to try to re-open the PR. However, I want to leave it alone for troubleshooting. I tried to do this with a previous patch version bump, but then dependabot closed the PR immediately again.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Smallest manifest that reproduces the issue
https://github.com/jasonkaedingrhino/dependabot-pip-test/blob/master/.github/dependabot.yml
This is already the "smallest" version relative to what exists in a private repo. The private repo also points to a private package registry, whereas this one shows the problem even with public PyPI.