Open turing85 opened 4 months ago
We have the same issue with JavaScript dependencies in some of our repositories. Unfortunately they are private repositories, so I can't give a lot of details to reproduce this issue.
Next round of MRs behaved the same:
2.16.12
to 3.9.3
: https://github.com/quarkiverse/quarkus-artemis/pull/4803.2.11
to 3.9.3
: https://github.com/quarkiverse/quarkus-artemis/pull/4783.7.4
to 3.9.3
: https://github.com/quarkiverse/quarkus-artemis/pull/4813.8.3
to 3.9.3
: https://github.com/quarkiverse/quarkus-artemis/pull/479It seems that dependabot is aware of the ignore condition, but did not apply it: https://github.com/quarkiverse/quarkus-artemis/pull/481#issuecomment-2048168934
I dug through the logs of dependabot. The logs say that "All updates for io.quarkus:quarkus-bom were ignored
". But, for example, for io.quarkus:quarkus-maven-plugin
(which shares its version with io.quarkus:quarkus-bom
), the logs do not show such a message. This seems to be the root cause why those dependencies get updated.
For anyone having the issue: we were able to work around this with this MR: https://github.com/quarkiverse/quarkus-artemis/pull/484. The important part is that we ignore io.quarkus:*
instead of only ignoring io.quarkus:quarkus-bom
.
Is there an existing issue for this?
Package ecosystem
maven
Package manager version
maven 3.8.7
Language version
Java 17
Manifest location and content before the Dependabot update
https://github.com/quarkiverse/quarkus-artemis/blob/main/pom.xml https://github.com/quarkiverse/quarkus-artemis/blob/main/build-parent/pom.xml https://github.com/quarkiverse/quarkus-artemis/blob/main/integration-tests/camel-jms/pom.xml
dependabot.yml content
https://github.com/quarkiverse/quarkus-artemis/blob/main/.github/dependabot.yml
Lines of relevance:
Updated dependency
io.quarkus:quarkus-bom
:2.16.12
to3.9.2
: https://github.com/quarkiverse/quarkus-artemis/pull/4703.2.11
to3.9.2
: https://github.com/quarkiverse/quarkus-artemis/pull/4653.7.4
to3.9.2
: https://github.com/quarkiverse/quarkus-artemis/pull/4663.8.3
to3.9.2
: https://github.com/quarkiverse/quarkus-artemis/pull/469What you expected to see, versus what you actually saw
Expected:
The pull requests above should not have been opened.
Actual:
The pull requests were opened.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
See above.
Smallest manifest that reproduces the issue
No response
Additional information
We recently changed the
dependabot.yml
in two commits, adding additional exclusions to two branches:049920df4ee580075d519b8b5ce0dbecd858a21f
1242e44ed420779e1e77f66754601561dc839b62
io.quarkus:quarkus-bom
that is stepping out of line. Dependencyio.quarkus.platform:quarkus-camel-bom
(which uses the same mechanism) behaves as expected.