search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.65k stars 1k forks source link

Dependabot tries to update more dependencies than declared #9661

Open mauroservienti opened 5 months ago

mauroservienti commented 5 months ago

Is there an existing issue for this?

Package ecosystem

Nuget

Package manager version

No response

Language version

C#

Manifest location and content before the Dependabot update

As you can see from this dependabot PR, the updated dependencies are way more than what they should be. it should only be updating xunit.runner.visualstudio and not all the other dependencies.

dependabot.yml content

version: 2
updates:
- package-ecosystem: nuget
  directory: "/"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
  target-branch: master
- package-ecosystem: github-actions
  directory: "/"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
  target-branch: master

Updated dependency

xunit.runner.visualstudio from 2.5.7 to 2.8.0, but it's happening for all dependencies

What you expected to see, versus what you actually saw

Only the mentioned dependency is updated, and not all of the dependencies in the project.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

mauroservienti commented 4 months ago

It continues to happen, here is a PR raised about 1 hour ago: https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/687

mauroservienti commented 1 month ago

Here is another PR showing the same problem https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/698

brettfo commented 1 month ago

@mauroservienti Do you have a log that you can share for this run? In some cases to properly update a package we also need to update some transitive dependencies, but I can't tell from just the PR if that's what's happening here.

mauroservienti commented 1 month ago

@brettfo, here is the log for the run that created that PR: https://github.com/ServiceComposer/ServiceComposer.AspNetCore/network/updates/869233142

As far as I can tell, in that PR, all the packages that dependabot updated are unrelated

brettfo commented 1 month ago

I don't seem to have access to the log linked. Could you post it here, or if not you can email it to me directly at brettfo@microsoft.com

mauroservienti commented 1 month ago

here is the log file ServiceComposer.AspNetCore_ServiceComposer_a5087b73fe31d6be54a29217211a8127e836175c.json

And here is another strange unexpected PR changing dependencies that’s not supposed to touch https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/700/files

rdipardo commented 1 month ago

An another example, or possibly a variation of this: a test project references the main project; the PR adds packages from the main project into the test project's manifest! (I had to add the main project's packages to the ignore: list of the test project directory)

The git diff obscures the problem because of newline changes, so make sure to look at the rich diff instead:

Screenshot_2024-08-21_19-51-51
mauroservienti commented 4 weeks ago

And here is another one: https://github.com/ServiceComposer/ServiceComposer.AspNetCore/pull/701

brettfo commented 3 weeks ago

The current architecture of dependabot doesn't fully work with the complexities of NuGet dependencies, but I'm currently working on a rewrite of the NuGet update detection logic which should fix this. I don't yet have an ETA on that work being done, but it is actively being worked on.