Dependabot ignores maven exclusions

turing85 commented 4 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

maven

Package manager version

maven 3.8.7

Language version

Java 17

Manifest location and content before the Dependabot update

https://github.com/quarkiverse/quarkus-artemis/blob/main/pom.xml https://github.com/quarkiverse/quarkus-artemis/blob/main/build-parent/pom.xml https://github.com/quarkiverse/quarkus-artemis/blob/main/integration-tests/camel-jms/pom.xml

dependabot.yml content

https://github.com/quarkiverse/quarkus-artemis/blob/main/.github/dependabot.yml

Lines of relevance:

Updated dependency

io.quarkus:quarkus-bom:

from 2.16.12 to 3.9.2: https://github.com/quarkiverse/quarkus-artemis/pull/470
from 3.2.11 to 3.9.2: https://github.com/quarkiverse/quarkus-artemis/pull/465
from 3.7.4 to 3.9.2: https://github.com/quarkiverse/quarkus-artemis/pull/466
from 3.8.3 to 3.9.2: https://github.com/quarkiverse/quarkus-artemis/pull/469

What you expected to see, versus what you actually saw

Expected:

The pull requests above should not have been opened.

Actual:

The pull requests were opened.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

See above.

Smallest manifest that reproduces the issue

No response

Additional information

We recently changed the dependabot.yml in two commits, adding additional exclusions to two branches:
- 049920df4ee580075d519b8b5ce0dbecd858a21f
- 1242e44ed420779e1e77f66754601561dc839b62
It is only io.quarkus:quarkus-bom that is stepping out of line. Dependency io.quarkus.platform:quarkus-camel-bom (which uses the same mechanism) behaves as expected.

lkreimann commented 4 months ago

We have the same issue with JavaScript dependencies in some of our repositories. Unfortunately they are private repositories, so I can't give a lot of details to reproduce this issue.

turing85 commented 3 months ago

Next round of MRs behaved the same:

from 2.16.12 to 3.9.3: https://github.com/quarkiverse/quarkus-artemis/pull/480
from 3.2.11 to 3.9.3: https://github.com/quarkiverse/quarkus-artemis/pull/478
from 3.7.4 to 3.9.3: https://github.com/quarkiverse/quarkus-artemis/pull/481
from 3.8.3 to 3.9.3: https://github.com/quarkiverse/quarkus-artemis/pull/479

turing85 commented 3 months ago

It seems that dependabot is aware of the ignore condition, but did not apply it: https://github.com/quarkiverse/quarkus-artemis/pull/481#issuecomment-2048168934

turing85 commented 3 months ago

I dug through the logs of dependabot. The logs say that "All updates for io.quarkus:quarkus-bom were ignored". But, for example, for io.quarkus:quarkus-maven-plugin (which shares its version with io.quarkus:quarkus-bom), the logs do not show such a message. This seems to be the root cause why those dependencies get updated.

turing85 commented 3 months ago

For anyone having the issue: we were able to work around this with this MR: https://github.com/quarkiverse/quarkus-artemis/pull/484. The important part is that we ignore io.quarkus:* instead of only ignoring io.quarkus:quarkus-bom.

dependabot / dependabot-core