Closed janisz closed 1 year ago
From a semver perspective this is an upgrade, since it goes from a 0.0.0 prerelease to a 2.13.0 prerelease.
The issue seems to be that since dex is tagging branches and not the main branch, the Go tooling is generating a v0.0.0-*
pseudo-version rather than a v2.36.0-*
one when running go get github.com/dexidp/dex@master
.
Dependabot doesn't currently support upgrading to unreleased versions, but it's still a possibility: https://github.com/dependabot/dependabot-core/issues/2028
I would suggest adding that dependency to the ignores if you don't want to go to releases because Dependabot will keep trying to upgrade it.
Closing, as I'm not sure there's anything we can do here, beyond #2028 which is already open.
Is there an existing issue for this?
Package ecosystem
Go
Package manager version
No response
Language version
1.18
Manifest location and content before the Dependabot update
dependabot.yml content
Updated dependency
github.com/dexidp/dex from 0.0.0-20230320125501-2bb4896d120e to 2.13.0+incompatible
What you expected to see, versus what you actually saw
I'd expect using latest master commit instead of old version.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/stackrox/stackrox/pull/5465
Smallest manifest that reproduces the issue
No response