search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PR's.
https://docs.github.com/en/code-security/dependabot
MIT License
4.51k stars 938 forks source link

dependabot's security updates remove path prefixes from #9490

Open miketheman opened 2 months ago

miketheman commented 2 months ago

Is there an existing issue for this?

Package ecosystem

pip

Package manager version

No response

Language version

Python 3.11

Manifest location and content before the Dependabot update

pypi/warehouse@ccabe51 (#15760)

dependabot.yml content

https://github.com/pypi/warehouse/blob/ba4e38c298a9d807044db563bd9385caa6017f56/.github/dependabot.yml

Updated dependency

idna from 3.6 to 3.7

What you expected to see, versus what you actually saw

When regular dependabot updates come in, they appear to run pip-compile from the root of the repo.

When dependabot is running a security update, it appears that pip-compile is being run in the requirements/ subdirectory, removing the path prefixes from the resulting txt file, adding to merge conflicts and line churn.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

dependabot's security update: pypi/warehouse@ccabe51 (#15760) action taken to restore paths: pypi/warehouse@d99e287 (#15760)

Smallest manifest that reproduces the issue

No response

amstilp commented 3 weeks ago

I'm running into the same issue - regular dependabot updates and security updates should run pip-compile from the same working directory.