search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.74k stars 1.03k forks source link

Dependabot only raises one PR where 2 FROM statements exist in Dockerfile #6700

Open lcooper01 opened 1 year ago

lcooper01 commented 1 year ago

Is there an existing issue for this?

Package ecosystem

Docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "docker" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

Updated dependency

eclipse-temurin from 11.0.14.1_1-jre-alpine to 11.0.18_10-jre-alpine

and

eclipse-temurin from 17.0.5_8-jre-alpine to 17.0.6_10-jre-alpine

What you expected to see, versus what you actually saw

Following on from the original issue of the complex version not being picked up. https://github.com/dependabot/dependabot-core/issues/5758

Expected two PR's created. One for java11 and one for java17 minor updates.

Only one PR created which bumps both java11 and java17 to the java17 updated version https://github.com/lcooper01/test-dependabot/pull/6

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

This PR shows both images being bumped to the same java17 increment as java17 from is top of file https://github.com/lcooper01/test-dependabot/pull/6

After moving java 11 to the top of the file and running dependabot again:

It tells us the PR already exists to bump java11

updater | INFO <job_608322365> Pull request already exists for eclipse-temurin with latest version 11.0.18_10-jre-alpine

Tried closing the PR and rerunning dependabot but still says pr exists.

Therefore opened a new repo to put java11 at the top of the file which then no pr would raise https://github.com/lcooper01/test-dependabot-java11/

Removed java17 and then the pr raised successfully for java11 https://github.com/lcooper01/test-dependabot-java11/pull/1/files

Added java17 back in and reran dependabot which then says there is an existing pr for java11 again.

updater | INFO <job_608325796> Pull request already exists for eclipse-temurin with latest version 11.0.18_10-jre-alpine

Smallest manifest that reproduces the issue

In the order below both images are bumped

FROM eclipse-temurin:17.0.5_8-jre-alpine as java-17

FROM eclipse-temurin:11.0.14.1_1-jre-alpine as java11

In the order below no pr is created

FROM eclipse-temurin:11.0.14.1_1-jre-alpine as java11

FROM eclipse-temurin:17.0.5_8-jre-alpine as java-17
deivid-rodriguez commented 1 year ago

Thnaks for the nice repro.

This will be partially fixed by #6082. With that PR, Dependabot will no longer incorrectly bump major versions, however it will still not create two separate PRs, but just one to bump the lowest version (11.0.14.1_1-jre-alpine to 11.0.18_10-jre-alpine).

I will need to further research how to achieve creating two PRs, but for now I'll focus on #6082.

lcooper01 commented 1 year ago

Thats great thanks for your efforts