search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.54k stars 949 forks source link

open pull requests limit is ignored #5342

Open tekumara opened 2 years ago

tekumara commented 2 years ago

Package ecosystem python

Package manager version setup.py

Language version python >=3.6

Manifest location and content before the Dependabot update https://github.com/seek-oss/aec/blob/8a0665bf7df37cb39520f3b2cc2acf453626aaed/setup.py

dependabot.yml content

- package-ecosystem: "pip"
  directory: "/"
  schedule:
    interval: "monthly"
  open-pull-requests-limit: 1

see https://github.com/seek-oss/aec/blob/8a0665bf7df37cb39520f3b2cc2acf453626aaed/.github/dependabot.yml

Updated dependency

N/A

What you expected to see, versus what you actually saw

Expected only 1 PR to be raised but 6 were:

Screen Shot 2022-07-02 at 1 24 08 pm

Native package manager behavior N/A

Images of the diff or a link to the PR, issue, or logs

🕹 Bonus points: Smallest manifest that reproduces the issue

jeffwidman commented 1 year ago

I'm not sure of the root cause, but something I noticed it that only 1 PR is opened with the prefix build(deps) and the other 5 all say build(deps-dev)... so perhaps the limit isn't being properly applied to deps-dev.

Also, thank you for providing links with pinned commits in the URLs. Makes debugging so much more pleasant! 🎉

jeffwidman commented 1 year ago

Do any of the open PR's that are violating the limit (ie, the new ones) happen by chance to resolve security alerts?

Because I just remembered that those don't respect the open-pull-requests-limit config because we assume you still want to see security PR's immediately...

tekumara commented 1 year ago

I don't think any of the PRs were for security alerts.

zomgbre commented 1 year ago

I'm seeing this issue with a repository using yarn with this configuration:

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"

  # Maintain dependencies for npm
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "monthly"
      day: "sunday"
    open-pull-requests-limit: 0

The pull requests are very noisy for npm / yarn and we can't always get to upgrading libraries at the speed they are being updated (some libraries are releasing updates once a day now!). To deal with that, we update all libraries on a schedule instead until we can deploy more often. Previously, there was no way to ignore the dependabot PR notifications or separate them with the Slack integration. (I think there might be some enhancements that were recently released, but I still want this to work.)

Anyway, dependabot seems to be ignoring our configuration.

We have this exact same config on other repos but they are using npm. I'm wondering if this issue is specific to yarn or certain package managers?

DavideDaniel commented 3 months ago

This is still happening for yarn. Is there no fix coming anytime soon?