Dependabot does not consider ignore rule

[jscarle]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

netstandard2.0

Manifest location and content before the Dependabot update

https://github.com/jscarle/AttributeSourceGenerator/blob/main/src/AttributeSourceGenerator/AttributeSourceGenerator.csproj

    <ItemGroup>
        <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.3.1" PrivateAssets="all"/>
        <PackageReference Include="Microsoft.Bcl.HashCode" Version="1.1.1" PrivateAssets="all"/>
    </ItemGroup>

dependabot.yml content

https://github.com/jscarle/AttributeSourceGenerator/blob/main/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "weekly"
    ignore:
      - dependency-name: "Microsoft.CodeAnalysis.CSharp"

Updated dependency

Microsoft.CodeAnalysis.CSharp 4.3.1 => 4.9.2

What you expected to see, versus what you actually saw

Ignore should be respected and PR should not be opened.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/jscarle/AttributeSourceGenerator/pull/4

Smallest manifest that reproduces the issue

version: 2
updates:
  - package-ecosystem: "nuget"
    ignore:
      - dependency-name: "Microsoft.CodeAnalysis.CSharp"

[brettfo]

Investigating a bit, it looks like if no version ranges are specified like in your scenario, the core updater ends up passing the string ">= 0" which winds its way through and when we eventually do version range matching, that's not a valid NuGet version range, so it doesn't apply. The fix could be as simple as rewriting ">= 0" to "*", but the updater is currently undergoing a rewrite in C#.

[jscarle]

You'd think that "ignore" would be clear enough.