Dependabot ignoring group

[Drowze]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

bundler

Package manager version

2.5.4

Language version

Ruby 3.2

Manifest location and content before the Dependabot update

It's a private project with a lot of private gems (private gems being hosted GitHub Packages), but here's some relevant bits:

Gemfile

source "https://rubygems.org"

ruby File.read(File.join(__dir__, ".ruby-version")).strip

source "https://rubygems.pkg.github.com/Over-haul" do
  gem "gem_a"
  gem "gem_b"
  gem "gem_c"
end

gem "rails", "~> 7.1.3"
gem "foundation-rails", "5.4.5.0"
gem "wicked_pdf", "~> 1.4.0"
gem "graphql", "~> 2.0.28"
gem "karafka"

source "https://REDACTED@gems.karafka.io" do
  gem "karafka-license", "1.abc123" # pro version
end

gem "psych", "~> 3.3.4"

group :test do
  gem "rspec-rails"
  gem "diff-lcs"
  gem "karafka-testing"
end

dependabot.yml content

untouched except for internal-library names

version: 2
registries:
  ruby-github:
    type: rubygems-server
    url: https://rubygems.pkg.github.com/Over-haul/github_api
    token: ${{ secrets.PAT }}

updates:
  - package-ecosystem: "bundler"
    directory: "/"
    insecure-external-code-execution: allow
    registries:
      - ruby-github
    schedule:
      # By default, this is on Monday
      interval: "weekly"
    commit-message:
      prefix: "[Dependabot]"
    pull-request-branch-name:
      separator: "-"
    labels:
      - dependencies
      - ruby
    groups:
      karafka:
        patterns:
          - "karafka*"
          - "waterdrop"
      internal-libraries:
        patterns:
          - "gem_a"
          - "gem_b"
      dev-dependencies:
        dependency-type: "development"
      prod-dependencies:
        dependency-type: "production"

    ignore:
      # Our own gems
      - dependency-name: "gem_c"
      # Locked dependencies
      - dependency-name: "foundation-rails"
      # Locked dependencies (patch version upgrade allowed)
      - dependency-name: "psych"
        update-types: ["version-update:semver-minor"]
      - dependency-name: "graphql"
        update-types: ["version-update:semver-minor"]
      - dependency-name: "rails"
        update-types: ["version-update:semver-minor"]
      - dependency-name: "wicked_pdf"
        update-types: ["version-update:semver-minor"]
      # Allow only minor and patch version updates
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

Updated dependency

No response

What you expected to see, versus what you actually saw

I expected Dependabot to open separate PRs for Karafka whenever the update would contain either:

• waterdrop
• any gem with name starting with karafka

I also would NOT expect Dependabot to open a PR for the dev-dependencies group updating a gem that is specifically NOT in either the test or development gem group - but it did open the PR including karafka (which is not in any gem group)

But instead, Dependabot opened the dev-dependencies group PR updating karafka, karafka-testing and even waterdrop (though that's not in the PR description as it's not explicitly defined in the Gemfile)

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

PR:

Diff:

Excerpt from relevant logs (job id 780006799):

updater | 2024/01/29 16:06:02 INFO <job_780006799> Starting job processing
updater | 2024/01/29 16:06:04 INFO <job_780006799> Starting grouped update job for Over-haul/repo
updater | 2024/01/29 16:06:04 INFO <job_780006799> Found 4 group(s).
updater | 2024/01/29 16:06:04 INFO <job_780006799> Starting update group for 'dev-dependencies'
...
updater | 2024/01/29 16:07:58 INFO <job_780006799> Checking if karafka-testing 2.2.2 needs updating
updater | 2024/01/29 16:07:58 INFO <job_780006799> Ignored versions:
updater | 2024/01/29 16:07:58 INFO <job_780006799>   version-update:semver-major - from .github/dependabot.yml
updater | 2024/01/29 16:07:58 INFO <job_780006799> Latest version is 2.3.0
updater | 2024/01/29 16:09:24 INFO <job_780006799> Requirements to unlock all
updater | 2024/01/29 16:09:24 INFO <job_780006799> Requirements update strategy bump_versions
updater | 2024/01/29 16:09:24 INFO <job_780006799> Updating karafka-testing, karafka
...
updater | 2024/01/29 16:10:25 INFO <job_780006799> Creating a pull request for 'dev-dependencies'
updater | 2024/01/29 16:10:39 INFO <job_780006799> Starting update group for 'internal-libraries'
...
updater | 2024/01/29 16:10:50 INFO <job_780006799> Nothing to update for Dependency Group: 'internal-libraries'
updater | 2024/01/29 16:10:50 INFO <job_780006799> Starting update group for 'karafka'
updater | 2024/01/29 16:10:50 INFO <job_780006799> Skipping karafka as it has already been handled by a previous group
updater | 2024/01/29 16:10:51 INFO <job_780006799> Checking if karafka-license 1.abc123 needs updating
updater | 2024/01/29 16:10:51 INFO <job_780006799> Ignored versions:
updater | 2024/01/29 16:10:51 INFO <job_780006799>   version-update:semver-major - from .github/dependabot.yml
updater | 2024/01/29 16:10:52 INFO <job_780006799> Latest version is 1.abc123
updater | 2024/01/29 16:10:52 INFO <job_780006799> No update needed for karafka-license 1.abc123
updater | 2024/01/29 16:10:52 INFO <job_780006799> Skipping karafka-testing as it has already been handled by a previous group
updater | 2024/01/29 16:10:52 INFO <job_780006799> Nothing to update for Dependency Group: 'karafka'
updater | 2024/01/29 16:10:52 INFO <job_780006799> Starting update group for 'prod-dependencies'
...
updater | 2024/01/29 16:23:14 INFO <job_780006799> Skipping karafka as it has already been handled by a previous group
...
updater | 2024/01/29 16:23:22 INFO <job_780006799> Skipping karafka-license as it has already been handled by a previous group
...
updater | 2024/01/29 16:23:28 INFO <job_780006799> Creating a pull request for 'prod-dependencies'
updater | 2024/01/29 16:23:39 INFO <job_780006799> Starting update job for Over-haul/repo
updater | 2024/01/29 16:23:39 INFO <job_780006799> Checking all dependencies for version updates...
...
updater | 2024/01/29 16:23:48 INFO <job_780006799> Finished job processing
updater | 2024/01/29 16:23:48 INFO Results:
updater | +------------------------------------------------------------------------------------------------------------------------------------+
updater | |                                                Changes to Dependabot Pull Requests                                                 |
updater | +---------+--------------------------------------------------------------------------------------------------------------------------+
updater | | created | rspec-rails ( from 6.1.0 to 6.1.1 ), karafka-testing ( from 2.2.2 to 2.3.0 ), karafka ( from 2.2.14 to 2.3.0 )           |
updater | | created | aws-sdk-kinesis ( from 1.54.0 to 1.55.0 ), aws-sdk-s3 ( from 1.142.0 to 1.143.0 ), prawn-svg ( from 0.33.0 to 0.34.0 ... |
updater | +---------+--------------------------------------------------------------------------------------------------------------------------+
updater | time="2024-01-29T16:23:48Z" level=info msg="task complete" container_id=job-780006799-updater exit_code=0 job_id=780006799 step=updater

Smallest manifest that reproduces the issue

No response

[jurre]

At a first glance it seems like this happens because karafka-testing depends on the karafka gem:

updater | 2024/01/29 16:09:24 INFO <job_780006799> Requirements to unlock all
updater | 2024/01/29 16:09:24 INFO <job_780006799> Requirements update strategy bump_versions
updater | 2024/01/29 16:09:24 INFO <job_780006799> Updating karafka-testing, karafka

In order to upgrade karafka-testing, bundler needs to also update karafka and there is not much that we can do to prevent bundler from doing that?

[Drowze]

Right, but shouldn't karafka-testing be grouped inside the karafka group? Since I'm defining the karafka group with a pattern which I believe should include karafka-testing:

    groups:
      karafka:
        patterns:
          - "karafka*"
          - "waterdrop"

So I wouldn't expect that karafka-testing is included in dev-dependencies group (even though it technically is a dev dependency, it should be matched first into the karafka group. By the way I also thought that the order of the groups are defined would be respected (note that I define the karafka group before the other groups), but doesn't look to be the case as dev-dependencies was checked before the karafka group 🤔

[jurre]

Yeah that's a good point, we currently don't respect the order in which groups are defined and that's a bug that we can and will fix. It's been on our radar. Right now the groups are getting processed in alphabetical order which is why dev-dependencies is going first, it's been on our radar and hoping to get to it soon! All in all I agree it leads to unexpected results and a frustrating experience in your scenario.

[Drowze]

Got it, thank you for confirming the issue @jurre - I understand this issue is related to the processing order of the groups. Looking forward to updates on it :)

Just to be clear, I assumed the order of the groups should be respected given this excerpt from the documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#example-4

Dependabot creates groups in the order they appear in your dependabot.yml file. If a dependency update could belong to more than one group, it is only assigned to the first group it matches with.

[Drowze]

Update: I updated our dependabot.yml as such:

    groups:
      ...
      dev-dependencies:
        dependency-type: "development"
+       exclude-patterns:
+         - "karafka-testing"

That fixed the dev-dependencies PRs... But then Dependabot tried to rebase an existing prod-dependencies PR before creating a karafka group PR - which led to Dependabot creating a prod-dependencies PR with the karafka upgrade 😅

Sounds like a tricky issue for Dependabot to fix 🤔

[Drowze]

Any updates to this? It looks like this is still an issue in our end.

[Nishnha]

Hi we fixed the issue around ordering with groups. The PRs in your test repo look to be correct to me https://github.com/Drowze/test-dependabot/pulls

What is broken on your private repo?

[Drowze]

Hello,

Sorry for the delay - I wasn't available for most of the week.

In our private repo we still see the issue, at least when Dependabot is rebasing an existing PR we have in our prod-dependencies group (note: this group has been being rebased since 26 March and wasn't merged yet - not sure if the issue will stop happening once we merge this PR 🤔).

• Our dependabot config: hasn't change from what I left in the opening comment.

• Relevant Dependabot logs:

  updater | 2024-04-25T15:07:29.330051174 [819806013:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
  updater | time="2024-04-25T15:07:33Z" level=info msg="guest starting" commit=23d5de4e561c0902c1073f9798c09b5fb9912de9
  updater | time="2024-04-25T15:07:33Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=819806013 updater_timeout=45m0s updater_version=52ae158c29801a46ab1a9b09f63ec88380c16366-bundler
  updater | 2024/04/25 15:07:41 INFO <job_819806013> Starting job processing
  updater | 2024/04/25 15:07:41 INFO <job_819806013> Job definition: ...
  updater | 2024/04/25 15:07:50 INFO <job_819806013> Finished job processing
  updater | time="2024-04-25T15:07:50Z" level=info msg="task complete" container_id=job-819806013-file-fetcher exit_code=0 job_id=819806013 step=fetcher
  updater | 2024/04/25 15:07:54 INFO <job_819806013> Starting job processing
  updater | 2024/04/25 15:07:57 INFO <job_819806013> Starting PR update job for Over-haul/repo
  updater | 2024/04/25 15:07:57 INFO <job_819806013> Updating the 'prod-dependencies' group
  ...
  updater | 2024/04/25 15:23:52 INFO <job_819806013> Checking if karafka 2.3.3 needs updating
  updater | 2024/04/25 15:23:52 INFO <job_819806013> Ignored versions:
  updater | 2024/04/25 15:23:52 INFO <job_819806013>   version-update:semver-major - from .github/dependabot.yml
  updater | 2024/04/25 15:23:52 INFO <job_819806013> Filtered out 37 pre-release versions
  updater | 2024/04/25 15:23:52 INFO <job_819806013> Latest version is 2.3.4
  updater | 2024/04/25 15:24:38 INFO <job_819806013> Requirements to unlock own
  updater | 2024/04/25 15:24:38 INFO <job_819806013> Requirements update strategy bump_versions
  updater | 2024/04/25 15:24:38 INFO <job_819806013> Updating karafka from 2.3.3 to 2.3.4
  ...
  updater | 2024/04/25 15:26:36 INFO <job_819806013> Checking if karafka-license 1.REDACTED needs updating
  updater | 2024/04/25 15:26:36 INFO <job_819806013> Ignored versions:
  updater | 2024/04/25 15:26:36 INFO <job_819806013>   version-update:semver-major - from .github/dependabot.yml
  updater | 2024/04/25 15:26:38 INFO <job_819806013> Latest version is 1.REDACTED
  updater | 2024/04/25 15:26:38 INFO <job_819806013> No update needed for karafka-license 1.REDACTED
  updater | 2024/04/25 15:26:39 INFO <job_819806013> Checking if sidekiq-pro 5.5.8 needs updating
  ...
  updater | 2024/04/25 15:27:31 INFO <job_819806013> Requirements to unlock own
  updater | 2024/04/25 15:27:31 INFO <job_819806013> Requirements update strategy bump_versions
  updater | 2024/04/25 15:27:31 INFO <job_819806013> Updating faker from 3.2.3 to 3.3.1
  updater | 2024/04/25 15:28:04 INFO <job_819806013> Updating pull request for 'prod-dependencies'
  updater | 2024/04/25 15:28:04 INFO <job_819806013> Finished job processing
  updater | 2024/04/25 15:28:04 INFO Results:
  updater | +------------------------------------------------------------------------------------------------------------------------------------+
  updater | |                                                Changes to Dependabot Pull Requests                                                 |
  updater | +---------+--------------------------------------------------------------------------------------------------------------------------+
  updater | | updated | rake ( from 00.0.0 to 00.0.0 ), aws-sdk-s3 ( from 0.000.0 to 0.000.0 ), ddtrace ( from 0.00.0 to 0.00.0 ), karafka ( ... |
  updater | +---------+--------------------------------------------------------------------------------------------------------------------------+
  updater | time="2024-04-25T15:28:04Z" level=info msg="task complete" container_id=job-819806013-updater exit_code=0 job_id=819806013 step=updater

• Created PR: