dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.74k stars 1.03k forks source link

Doesn't update versions in yarn resolutions #9058

Open Dreamsorcerer opened 9 months ago

Dreamsorcerer commented 9 months ago

Is there an existing issue for this?

Duplicate of https://github.com/dependabot/dependabot-core/issues/2318#issuecomment-1939447694 But, that issue is incorrectly closed.

Package ecosystem

npm

Package manager version

yarn

Manifest location and content before the Dependabot update

{
  "name": "admin-js",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "react": "^18.2.0",
    "react-admin": "4.16.7",
    "react-dom": "^18.2.0"
  },
  "devDependencies": {
    "@testing-library/jest-dom": "^6.1.5",
    "@testing-library/react": "^14.1.2",
    "@testing-library/user-event": "^14.5.1",
    "@ungap/structured-clone": "^1.2",
    "jest-fail-on-console": "^3.1.2",
    "react-scripts": "^5.0.1"
  },
  "resolutions": {
    "create-react-admin": "4.16.7",
    "ra-core": "4.16.7",
    "ra-data-fakerest": "4.16.7",
    "ra-data-graphql-simple": "4.16.7",
    "ra-data-graphql": "4.16.7",
    "ra-data-json-server": "4.16.7",
    "ra-data-local-forage": "4.16.7",
    "ra-data-local-storage": "4.16.7",
    "ra-data-simple-rest": "4.16.7",
    "ra-i18n-i18next": "4.16.7",
    "ra-i18n-polyglot": "4.16.7",
    "ra-input-rich-text": "4.16.7",
    "ra-language-english": "4.16.7",
    "ra-language-french": "4.16.7",
    "ra-no-code": "4.16.7",
    "ra-ui-materialui": "4.16.7"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build && (rm ../aiohttp_admin/static/*.js.map || true) && mv build/static/js/main.*.js ../aiohttp_admin/static/admin.js && mv build/static/js/main.*.js.map ../aiohttp_admin/static/ && rm -rf build/",
    "test": "jest",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": [
      "react-app",
      "react-app/jest"
    ],
    "rules": {
        "react/jsx-pascal-case": [1, {"allowLeadingUnderscore": true}]
    }
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

dependabot.yml content

version: 2
updates:
  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: daily

  - package-ecosystem: npm
    directory: "/admin-js/"
    schedule:
      interval: daily
    groups:
      react-admin:
        patterns:
          - "create-react-admin"
          - "ra-*"
          - "react-admin"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"

Updated dependency

{
  "name": "admin-js",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "react": "^18.2.0",
    "react-admin": "4.16.10",   <--- This is the only change
    "react-dom": "^18.2.0"
  },
  "devDependencies": {
    "@testing-library/jest-dom": "^6.1.5",
    "@testing-library/react": "^14.1.2",
    "@testing-library/user-event": "^14.5.1",
    "@ungap/structured-clone": "^1.2",
    "jest-fail-on-console": "^3.1.2",
    "react-scripts": "^5.0.1"
  },
  "resolutions": {
    "create-react-admin": "4.16.7",
    "ra-core": "4.16.7",
    "ra-data-fakerest": "4.16.7",
    "ra-data-graphql-simple": "4.16.7",
    "ra-data-graphql": "4.16.7",
    "ra-data-json-server": "4.16.7",
    "ra-data-local-forage": "4.16.7",
    "ra-data-local-storage": "4.16.7",
    "ra-data-simple-rest": "4.16.7",
    "ra-i18n-i18next": "4.16.7",
    "ra-i18n-polyglot": "4.16.7",
    "ra-input-rich-text": "4.16.7",
    "ra-language-english": "4.16.7",
    "ra-language-french": "4.16.7",
    "ra-no-code": "4.16.7",
    "ra-ui-materialui": "4.16.7"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build && (rm ../aiohttp_admin/static/*.js.map || true) && mv build/static/js/main.*.js ../aiohttp_admin/static/admin.js && mv build/static/js/main.*.js.map ../aiohttp_admin/static/ && rm -rf build/",
    "test": "jest",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": [
      "react-app",
      "react-app/jest"
    ],
    "rules": {
        "react/jsx-pascal-case": [1, {"allowLeadingUnderscore": true}]
    }
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

What you expected to see, versus what you actually saw

All versions in resolutions to be bumped as part of grouped update.

Images of the diff or a link to the PR, issue, or logs

https://github.com/aio-libs/aiohttp-admin/pull/863/files

Dreamsorcerer commented 7 months ago

This actually makes Dependabot unusable on our project. It bumps the wrong thing and won't touch the things that actually need bumping..