search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PR's.
https://docs.github.com/en/code-security/dependabot
MIT License
4.44k stars 915 forks source link

Dependabot assigned a package to a group after a group with a matching pattern #9765

Open jyasskin opened 2 weeks ago

jyasskin commented 2 weeks ago

Is there an existing issue for this?

Package ecosystem

npm

Package manager version

pnpm 9.0.6

Language version

node 20.12.0

Manifest location and content before the Dependabot update

No response

dependabot.yml content

https://github.com/vlach-cookbook/cookbook/blob/9fa58c8843b73345b7e4598c3e5fc679e1f7e6cd/.github/dependabot.yml

    groups:
      astro:
        patterns: ["astro", "@astrojs/*", "vitest"]
        update-types: [patch, minor, major]
      prisma:
        patterns: ["prisma", "@prisma/*"]
        update-types: [patch, minor, major]
      playwright:
        # This will usually fail, because the version in workflows and Dockerfiles
        # has to match exactly.
        patterns: ["@playwright/*"]
        update-types: [patch, minor, major]
      minors:
        patterns: ["*"]
        update-types: [patch, minor]

Updated dependency

No response

What you expected to see, versus what you actually saw

https://github.com/vlach-cookbook/cookbook/pull/108 is for the 'minors' group, but it includes updates to @astrojs/solid-js and @playwright/test which should be matched by the @astrojs/* and @playwright/* globs for earlier groups. The documentation says updates should be assigned to the first group they match.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response