Open bryan-bar opened 8 months ago
Two issues that might be related: https://github.com/dependabot/dependabot-core/issues/5772 https://github.com/dependabot/dependabot-core/issues/6592
Recent PRs from AWS and Azure with the wrong minor version applied:
Dependabot log:
updater | +-------------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+---------------------------------------+
updater | | created | hashicorp/azurerm ( from to 3.90.0 ) |
updater | | created | hashicorp/aws ( from to 5.35.0 ) |
updater | +---------+---------------------------------------+
AWS:
https://github.com/EnterpriseDB/edb-terraform/pull/114
Update hashicorp/aws requirement from <= 5.34.0 to <= 5.36.0 in /edbterraform/data/terraform
Azure:
https://github.com/EnterpriseDB/edb-terraform/pull/113
Update hashicorp/azurerm requirement from <= 3.89.0 to <= 3.91.0 in /edbterraform/data/terraform
I've found that this can also affect the Cargo ecosystem (Rust). At the time of writing this gix 0.63
does not exist, yet dependabot made https://github.com/spenserblack/gengo/pull/344/commits/2fe106369d1330d4ac5ece30ed7c9d2ba5c160ed in https://github.com/spenserblack/gengo/pull/344
I've found that this can also affect the Cargo ecosystem (Rust). At the time of writing this
gix 0.63
does not exist, yet dependabot made spenserblack/gengo@2fe1063 in spenserblack/gengo#344
I opened a PR with a fix for the Cargo ecosystem. Can you review the fix? Let's not clutter this issue with more Cargo talk and discuss it there. #9828
Is there an existing issue for this?
Package ecosystem
Terraform
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
/edbterraform/data/terraform/versions.tf
dependabot.yml content
Updated dependency
EnterpriseDB/biganimal
v0.6.1
->v0.7.1
What you expected to see, versus what you actually saw
The wrong patch number is applied while using less than/equals,
<=
, constraint. The minor and patch version should both be updated since the dependabot logs show the latest provider as0.7.0
, which is the latest release as of 2024-01-12. This bug report was created 2024-02-02.Expected:
<= 0.6.1
-><= 0.7.0
Result:
<= 0.6.1
-><= 0.7.1
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Pull Request: https://github.com/EnterpriseDB/edb-terraform/pull/109 PR title:
Update EnterpriseDB/biganimal requirement from <= 0.6.1 to <= 0.7.1 in /edbterraform/data/terraform
Dependabot Logs:
Dependabot PR changelog: Commit:
Smallest manifest that reproduces the issue