Grouped updates not respecting `update-types`

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.72k stars 1.02k forks source link

Grouped updates not respecting `update-types` #8022

Open MuriloDalRi opened 1 year ago

MuriloDalRi commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

Bundler

Package manager version

2.4.9

Language version

3.1.2

Manifest location and content before the Dependabot update

/Gemfile

dependabot.yml content

https://github.com/MuriloDalRi/support/blob/main/.github/dependabot.yml

Updated dependency

redis from 4.0.0 to 5.0.7

What you expected to see, versus what you actually saw

I have specified in my dependabot.yml file that only minor and patch updates should be grouped but a major update for Redis is being included in the changes.

A major Redis update should not be included in these changes. Dependabot knows to open a separate PR for it and doesn't include Redis in the PR description, but it is in the code changes.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Grouped Dependabot PR

Smallest manifest that reproduces the issue

No response

jakecoffman commented 1 year ago

Using the Dependabot CLI I can reproduce the redis major bump without groups:

job:
  allowed-updates:
    - dependency-name: rails
  package-manager: bundler
  source:
    provider: github
    repo: MuriloDalRi/support
    directory: "/."
    branch:
    api-endpoint: https://api.github.com/
    hostname: github.com

Using this input file in the command dependabot update -f input.yml produces a lockfile that bumps redis to 5.0.7.

If I clone the repo and have bundler upgrade rails it also bumps to 5.0.7:

git clone https://github.com/MuriloDalRi/support.git
cd support
bundler update rails

@deivid-rodriguez is there a way to track down why Bundler is bumping redis to the next major in this case?

deivid-rodriguez commented 1 year ago

Bundler bumps everything to latest by default, unless conservative update options are given. The --patch, --minor, --major, --strict, and --conservative options to bundle lock & bundle update may be relevant/useful here.

carlincherry commented 6 months ago

Hi @deivid-rodriguez, have you continued to notice this behavior?

deivid-rodriguez commented 6 months ago

@carlincherry I don't recall seeing this behavior myself, but yeah, if Dependabot is internally not explicitly passing conservative flags by default, then this is likely to happen, yeah. To further complicate things, Dependabot don't directly shell out to bundler, but uses Bundler internals, so this is not as simple as "passing a flag to the Bundler CLI".

abdulapopoola commented 6 months ago

Seems like an opportunity to rely more on the native Bundler CLI and add improvements therein. Tagging @jonjanego as this might eventually fall into ecosystems