We have alot more than three sub-projects and I dont believe that the number or content of the manifest files for these sub-projects is irrelevant, so I have just selected one as the example.
dependabot.yml content
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "gradle"
open-pull-requests-limit: 10
directory: "/"
schedule:
interval: "weekly"
day: "sunday"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "sunday"
- package-ecosystem: "docker"
directory: "docker"
schedule:
interval: "weekly"
day: "sunday"
Updated dependency
None, no PR is created
What you expected to see, versus what you actually saw
Expected dependabot to successfully search through and create PRs for security updates. Instead, this error is displayed.
Note that oslonokkelen-backend/ is appended before the manifest settings.gradle.kts. The correct path to the manifest is /settings.gradle.kts. This is the bug. Nowhere have we configured dependabot to run in a sub-directory. This happens with all vulnerabilities that are found for gradle. Clicking try again will not fix it, and the log looks pretty much the same.
This only seems to happen on the page for a detected vulnerability. Standard scanning for version updates is not affected by this sub-directory bug and they do run weekly successfully. If I were to guess, I would think that the problem lies with the vulnerability scanning algorithm that is creating vulnerabilities for out repo with the wrong information. New vulnerabilities are detected and they show up in the Dependabot alerts page, but they all display this error. Triggering a version update manually through the "Check for updates" button in the Dependecy graph page works. Also, when the vulnerability is removed by manually updating the relevant packages, the issue does dissapear.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Update log
proxy | 2023/12/12 13:50:37 proxy starting, commit: 02a8910b917eff32ef3fe812e35a131d6286bc20
proxy | 2023/12/12 13:50:37 Listening (:1080)
updater | 2023-12-12T13:50:39.589340281 [761402441:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-12-12T13:50:45Z" level=info msg="guest starting" commit=eb5aa56302357f07a0e790713fa099f11a1af831
updater | time="2023-12-12T13:50:45Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=761402441 updater_timeout=45m0s updater_version=f7c9d9070e7f43d0d59e0692019a0537d3449f4b-gradle
updater | 2023/12/12 13:50:52 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/12 13:50:59 INFO <job_761402441> Starting job processing
proxy | 2023/12/12 13:51:00 [002] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend
proxy | 2023/12/12 13:51:00 [002] * authenticating github api request with token for api.github.com
proxy | 2023/12/12 13:51:00 [002] 200 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend
proxy | 2023/12/12 13:51:01 [004] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/git/refs/heads/master
proxy | 2023/12/12 13:51:01 [004] * authenticating github api request with token for api.github.com
proxy | 2023/12/12 13:51:01 [004] 200 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/git/refs/heads/master
proxy | 2023/12/12 13:51:01 [006] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/oslonokkelen-backend?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
proxy | 2023/12/12 13:51:01 [006] * authenticating github api request with token for api.github.com
proxy | 2023/12/12 13:51:01 [006] 404 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/oslonokkelen-backend?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
updater | 2023/12/12 13:51:01 ERROR <job_761402441> Error during file fetching; aborting: Dependabot::DirectoryNotFound
updater | 2023/12/12 13:51:01 INFO <job_761402441> Finished job processing
updater | 2023/12/12 13:51:01 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------+
updater | | Errors |
updater | +---------------------+
updater | | directory_not_found |
updater | +---------------------+
updater | time="2023-12-12T13:51:01Z" level=info msg="task complete" container_id=job-761402441-file-fetcher exit_code=0 job_id=761402441 step=fetcher
updater | time="2023-12-12T13:51:02Z" level=warning msg="failed during fetch, skipping updater" job_id=761402441
It seems like the issue is that dependabot is trying to fetch the contents of the sub-directory /oslonokkelen-backend, when this directory does not exist.
The corresponding lines from the logs of a successful update look like this:
proxy | 2023/12/12 13:44:48 [006] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
proxy | 2023/12/12 13:44:48 [006] * authenticating github api request with token for api.github.com
proxy | 2023/12/12 13:44:48 [006] 200 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
Smallest manifest that reproduces the issue
Unsure what could be the cause here, so I cant really narrow it down.
Is there an existing issue for this?
Package ecosystem
Gradle
Package manager version
No response
Language version
Kotlin 1.9.21
Manifest location and content before the Dependabot update
Manifests are located in repo root
/
, as well as sub-directories. Here is the content of/settings.gradle.kts
:Here is the content of
/build.gradle.kts
:Here is the content of
/blablabla-one/build.gradle.kts
, the manifest for one of the sub-projects:We have alot more than three sub-projects and I dont believe that the number or content of the manifest files for these sub-projects is irrelevant, so I have just selected one as the example.
dependabot.yml content
Updated dependency
None, no PR is created
What you expected to see, versus what you actually saw
Expected dependabot to successfully search through and create PRs for security updates. Instead, this error is displayed.
Note that
oslonokkelen-backend/
is appended before the manifestsettings.gradle.kts
. The correct path to the manifest is/settings.gradle.kts
. This is the bug. Nowhere have we configured dependabot to run in a sub-directory. This happens with all vulnerabilities that are found for gradle. Clicking try again will not fix it, and the log looks pretty much the same.This only seems to happen on the page for a detected vulnerability. Standard scanning for version updates is not affected by this sub-directory bug and they do run weekly successfully. If I were to guess, I would think that the problem lies with the vulnerability scanning algorithm that is creating vulnerabilities for out repo with the wrong information. New vulnerabilities are detected and they show up in the Dependabot alerts page, but they all display this error. Triggering a version update manually through the "Check for updates" button in the Dependecy graph page works. Also, when the vulnerability is removed by manually updating the relevant packages, the issue does dissapear.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Update log
It seems like the issue is that dependabot is trying to fetch the contents of the sub-directory
/oslonokkelen-backend
, when this directory does not exist. The corresponding lines from the logs of a successful update look like this:Smallest manifest that reproduces the issue
Unsure what could be the cause here, so I cant really narrow it down.