Open Drowze opened 7 months ago
At a first glance it seems like this happens because karafka-testing
depends on the karafka
gem:
updater | 2024/01/29 16:09:24 INFO <job_780006799> Requirements to unlock all
updater | 2024/01/29 16:09:24 INFO <job_780006799> Requirements update strategy bump_versions
updater | 2024/01/29 16:09:24 INFO <job_780006799> Updating karafka-testing, karafka
In order to upgrade karafka-testing
, bundler needs to also update karafka
and there is not much that we can do to prevent bundler from doing that?
Right, but shouldn't karafka-testing
be grouped inside the karafka group? Since I'm defining the karafka group with a pattern which I believe should include karafka-testing
:
groups:
karafka:
patterns:
- "karafka*"
- "waterdrop"
So I wouldn't expect that karafka-testing
is included in dev-dependencies group (even though it technically is a dev dependency, it should be matched first into the karafka group.
By the way I also thought that the order of the groups are defined would be respected (note that I define the karafka group before the other groups), but doesn't look to be the case as dev-dependencies was checked before the karafka group 🤔
Yeah that's a good point, we currently don't respect the order in which groups are defined and that's a bug that we can and will fix. It's been on our radar. Right now the groups are getting processed in alphabetical order which is why dev-dependencies
is going first, it's been on our radar and hoping to get to it soon! All in all I agree it leads to unexpected results and a frustrating experience in your scenario.
Got it, thank you for confirming the issue @jurre - I understand this issue is related to the processing order of the groups. Looking forward to updates on it :)
Just to be clear, I assumed the order of the groups should be respected given this excerpt from the documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#example-4
Dependabot creates groups in the order they appear in your dependabot.yml file. If a dependency update could belong to more than one group, it is only assigned to the first group it matches with.
Update: I updated our dependabot.yml as such:
groups:
...
dev-dependencies:
dependency-type: "development"
+ exclude-patterns:
+ - "karafka-testing"
That fixed the dev-dependencies
PRs... But then Dependabot tried to rebase an existing prod-dependencies
PR before creating a karafka
group PR - which led to Dependabot creating a prod-dependencies
PR with the karafka upgrade 😅
Sounds like a tricky issue for Dependabot to fix 🤔
Any updates to this? It looks like this is still an issue in our end.
Hi we fixed the issue around ordering with groups. The PRs in your test repo look to be correct to me https://github.com/Drowze/test-dependabot/pulls
What is broken on your private repo?
Hello,
Sorry for the delay - I wasn't available for most of the week.
In our private repo we still see the issue, at least when Dependabot is rebasing an existing PR we have in our prod-dependencies
group (note: this group has been being rebased since 26 March and wasn't merged yet - not sure if the issue will stop happening once we merge this PR 🤔).
Our dependabot config: hasn't change from what I left in the opening comment.
Relevant Dependabot logs:
updater | 2024-04-25T15:07:29.330051174 [819806013:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2024-04-25T15:07:33Z" level=info msg="guest starting" commit=23d5de4e561c0902c1073f9798c09b5fb9912de9
updater | time="2024-04-25T15:07:33Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=819806013 updater_timeout=45m0s updater_version=52ae158c29801a46ab1a9b09f63ec88380c16366-bundler
updater | 2024/04/25 15:07:41 INFO <job_819806013> Starting job processing
updater | 2024/04/25 15:07:41 INFO <job_819806013> Job definition: ...
updater | 2024/04/25 15:07:50 INFO <job_819806013> Finished job processing
updater | time="2024-04-25T15:07:50Z" level=info msg="task complete" container_id=job-819806013-file-fetcher exit_code=0 job_id=819806013 step=fetcher
updater | 2024/04/25 15:07:54 INFO <job_819806013> Starting job processing
updater | 2024/04/25 15:07:57 INFO <job_819806013> Starting PR update job for Over-haul/repo
updater | 2024/04/25 15:07:57 INFO <job_819806013> Updating the 'prod-dependencies' group
...
updater | 2024/04/25 15:23:52 INFO <job_819806013> Checking if karafka 2.3.3 needs updating
updater | 2024/04/25 15:23:52 INFO <job_819806013> Ignored versions:
updater | 2024/04/25 15:23:52 INFO <job_819806013> version-update:semver-major - from .github/dependabot.yml
updater | 2024/04/25 15:23:52 INFO <job_819806013> Filtered out 37 pre-release versions
updater | 2024/04/25 15:23:52 INFO <job_819806013> Latest version is 2.3.4
updater | 2024/04/25 15:24:38 INFO <job_819806013> Requirements to unlock own
updater | 2024/04/25 15:24:38 INFO <job_819806013> Requirements update strategy bump_versions
updater | 2024/04/25 15:24:38 INFO <job_819806013> Updating karafka from 2.3.3 to 2.3.4
...
updater | 2024/04/25 15:26:36 INFO <job_819806013> Checking if karafka-license 1.REDACTED needs updating
updater | 2024/04/25 15:26:36 INFO <job_819806013> Ignored versions:
updater | 2024/04/25 15:26:36 INFO <job_819806013> version-update:semver-major - from .github/dependabot.yml
updater | 2024/04/25 15:26:38 INFO <job_819806013> Latest version is 1.REDACTED
updater | 2024/04/25 15:26:38 INFO <job_819806013> No update needed for karafka-license 1.REDACTED
updater | 2024/04/25 15:26:39 INFO <job_819806013> Checking if sidekiq-pro 5.5.8 needs updating
...
updater | 2024/04/25 15:27:31 INFO <job_819806013> Requirements to unlock own
updater | 2024/04/25 15:27:31 INFO <job_819806013> Requirements update strategy bump_versions
updater | 2024/04/25 15:27:31 INFO <job_819806013> Updating faker from 3.2.3 to 3.3.1
updater | 2024/04/25 15:28:04 INFO <job_819806013> Updating pull request for 'prod-dependencies'
updater | 2024/04/25 15:28:04 INFO <job_819806013> Finished job processing
updater | 2024/04/25 15:28:04 INFO Results:
updater | +------------------------------------------------------------------------------------------------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+--------------------------------------------------------------------------------------------------------------------------+
updater | | updated | rake ( from 00.0.0 to 00.0.0 ), aws-sdk-s3 ( from 0.000.0 to 0.000.0 ), ddtrace ( from 0.00.0 to 0.00.0 ), karafka ( ... |
updater | +---------+--------------------------------------------------------------------------------------------------------------------------+
updater | time="2024-04-25T15:28:04Z" level=info msg="task complete" container_id=job-819806013-updater exit_code=0 job_id=819806013 step=updater
Created PR:
Is there an existing issue for this?
Package ecosystem
bundler
Package manager version
2.5.4
Language version
Ruby 3.2
Manifest location and content before the Dependabot update
It's a private project with a lot of private gems (private gems being hosted GitHub Packages), but here's some relevant bits:
Gemfile
dependabot.yml content
untouched except for internal-library names
Updated dependency
No response
What you expected to see, versus what you actually saw
I expected Dependabot to open separate PRs for Karafka whenever the update would contain either:
karafka
I also would NOT expect Dependabot to open a PR for the
dev-dependencies
group updating a gem that is specifically NOT in either thetest
ordevelopment
gem group - but it did open the PR includingkarafka
(which is not in any gem group)But instead, Dependabot opened the
dev-dependencies
group PR updatingkarafka
,karafka-testing
and evenwaterdrop
(though that's not in the PR description as it's not explicitly defined in the Gemfile)Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
PR:
Diff:
Excerpt from relevant logs (job id 780006799):
Smallest manifest that reproduces the issue
No response