search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.61k stars 979 forks source link

Version 2 yaml validator doesn't catch duplicated `ignore:` sections. #1919

Open georgedorn opened 4 years ago

georgedorn commented 4 years ago

This validates:

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily
    time: '13:00'
  open-pull-requests-limit: 10
  ignore:
  - dependency-name: chromedriver-binary
  ignore:
  - dependency-name: celery
  commit-message:
    prefix: chore

But then dependabot happily opens PRs to update chromedriver-binary, as the second ignore: clobbers the first.

(I'm now aware of the correct format; this bug report is because the validator didn't catch this. Also, maybe somebody else searching for why dependabot isn't respecting their 'ignore' statements will find this, too.)

feelepxyz commented 4 years ago

@georgedorn thanks for reporting! We'll look into handling this better. Suprised our JSON schema validation doesn't pick this up.