Updates ignore not taken into account

[rdehouss]

Describe the bug Context: npm (package.json, no package-lock.json)

With the vNext script (because I use groups that are not working with the "old" script) and also with normal script,

    ignore:
      # For all deps
      - dependency-name: "*"
        # ignore all major updates
        update-types: ["version-update:semver-major"]

Does not have any effect. Although, in the console, I can clearly see that it's content is in the variable DEPENDABOT_IGNORE_CONDITIONS : /usr/bin/docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=npm -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=20 -e DEPENDABOT_DIRECTORY=/ -e DEPENDABOT_IGNORE_CONDITIONS=[{"dependency-name":"*","update-types":["version-update:semver-major"]}] -e DEPENDABOT_DEPENDENCY_GROUPS={"angular":{"patterns":["@angular*"]},"azure":{"patterns":["@azure*"]},"fullcalendar":{"patterns":["@fullcalendar*","fullcalendar"]},"mat-datetimepicker":{"patterns":["@mat-datetimepicker*"]},"ngx-translate":{"patterns":["@ngx-translate*"]},"moment":{"patterns":["moment*"]},"karma":{"patterns":["karma*"]}} -e DEPENDABOT_FAIL_ON_EXCEPTION=true -e DEPENDABOT_SKIP_PULL_REQUESTS=true -e AZURE_ORGANIZATION=*** -e AZURE_PROJECT=*** -e AZURE_REPOSITORY=*** -e AZURE_ACCESS_TOKEN=*** -e AZURE_MERGE_STRATEGY=squash ghcr.io/tinglesoftware/dependabot-updater-npm:1.30 update_script_vnext

Categorization

• [x] This is not a permissions issue (We cannot solve permission issues)

Repository Private

To Reproduce Steps to reproduce the behavior:

1. With or without skipPullRequests, it gives the same result
2. azure-pipelines.yml

   
   trigger: none # Disable CI trigger

schedules:

• cron: '0 2 *' # daily at 2am UTC always: true # run even when there are no code changes branches: include:
  • main batch: true displayName: Dependabot Daily

pool: vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:

• task: dependabot@1 inputs: skipPullRequests: true useUpdateScriptvNext: true

  
  3. .azuredevops/dependabot.yml
  ```yaml
  version: 2

updates:

• package-ecosystem: 'npm' directory: '/' schedule: interval: 'daily' open-pull-requests-limit: 20 groups: angular: patterns:
  • "@angular*"
  • "ng-packagr" azure: patterns:
  • "@azure*" fullcalendar: patterns:
  • "@fullcalendar*"
  • "fullcalendar" mat-datetimepicker: patterns:
  • "@mat-datetimepicker*" ngx-translate: patterns:
  • "@ngx-translate*" moment: patterns:
  • "moment*" karma: patterns:
  • "karma*" ignore:

    For all deps

    • dependency-name: "*"

      ignore all major updates

      update-types: ["version-update:semver-major"]

      4. package.json
      ```json
      {
      "name": "test",
      "version": "1.0.0",
      "scripts": {
      },
      "private": true,
      "dependencies": {
      "@angular-material-components/datetime-picker": "^16.0.1",
      "@angular/animations": "^16.2.12",
      "@angular/cdk": "^16.2.14",
      "@angular/common": "^16.2.12",
      "@angular/compiler": "^16.2.12",
      "@angular/core": "^16.2.12",
      "@angular/forms": "^16.2.12",
      "@angular/material": "^16.2.14",
      "@angular/material-moment-adapter": "^16.2.14",
      "@angular/platform-browser": "^16.2.12",
      "@angular/platform-browser-dynamic": "^16.2.12",
      "@angular/router": "^16.2.12",
      "@azure/msal-angular": "^3.0.16",
      "@azure/msal-browser": "^3.13.0",
      "@fullcalendar/angular": "^6.1.10",
      "@fullcalendar/daygrid": "^6.1.10",
      "@fullcalendar/multimonth": "^6.1.10",
      "@mat-datetimepicker/core": "^12.0.1",
      "@mat-datetimepicker/moment": "^12.0.1",
      "@material/tabs": "^2.3.0",
      "@ngx-translate/core": "^14.0.0",
      "@ngx-translate/http-loader": "^7.0.0",
      "@tinymce/tinymce-angular": "^7.0.0",
      "angular-calendar": "^0.31.0",
      "bootstrap": "^5.3.2",
      "date-fns": "^2.30.0",
      "fullcalendar": "^6.1.10",
      "guid-typescript": "^1.0.9",
      "libphonenumber-js": "^1.10.61",
      "moment": "^2.30.1",
      "moment-timezone": "^0.5.45",
      "ngx-device-detector": "^6.0.2",
      "ngx-mat-intl-tel-input": "^5.0.0",
      "ngx-translate-testing": "^6.1.0",
      "rxjs": "~7.8.1",
      "tinymce": "^6.8.3",
      "tippy.js": "^6.3.7",
      "zone.js": "^0.13.3"
      },
      "devDependencies": {
      "@angular-devkit/build-angular": "^16.2.14",
      "@angular/cli": "^16.2.14",
      "@angular/compiler-cli": "^16.2.12",
      "@types/jasmine": "~4.6.4",
      "jasmine-core": "~4.6.0",
      "karma": "~6.4.2",
      "karma-chrome-launcher": "~3.2.0",
      "karma-coverage": "~2.2.1",
      "karma-jasmine": "~5.1.0",
      "karma-jasmine-html-reporter": "~2.1.0",
      "ng-packagr": "^16.2.3",
      "npm-check-updates": "^16.14.20",
      "prettier": "^3.2.5",
      "tslib": "^2.6.2",
      "typescript": "~4.9.5"
      }
      }

Actual result

+------------------------------------------------------------------------------------------------------------------------------------+
|                                                Changes to Dependabot Pull Requests                                                 |
+---------+--------------------------------------------------------------------------------------------------------------------------+
| created | @angular/animations ( from 16.2.12 to 18.1.1 ), @angular/cdk ( from 16.2.14 to 18.1.1 ), @angular/common ( from 16.2.... |
| created | @mat-datetimepicker/core ( from 12.0.1 to 14.0.0 ), @mat-datetimepicker/moment ( from 12.0.1 to 14.0.0 )                 |
| created | @ngx-translate/core ( from 14.0.0 to 15.0.0 ), @ngx-translate/http-loader ( from 7.0.0 to 8.0.0 )                        |
| created | @tinymce/tinymce-angular ( from 7.0.0 to 8.0.1 )                                                                         |
| created | date-fns ( from 2.30.0 to 3.6.0 )                                                                                        |
| created | tinymce ( from 6.8.4 to 7.2.1 )                                                                                          |
| created | @types/jasmine ( from 4.6.4 to 5.1.4 )                                                                                   |
| created | jasmine-core ( from 4.6.1 to 5.1.2 )                                                                                     |
| created | ng-packagr ( from 16.2.3 to 18.1.0 )                                                                                     |
| created | typescript ( from 4.9.5 to 5.1.6 )                                                                                       |
+---------+--------------------------------------------------------------------------------------------------------------------------+

Expected behavior npm-check-update returns me the following

npx ncu --target minor
Checking /workspaces/***/package.json
[====================] 53/53 100%

 @azure/msal-angular        ^3.0.16  →  ^3.0.22
 @azure/msal-browser        ^3.13.0  →  ^3.19.1
 @fullcalendar/angular      ^6.1.10  →  ^6.1.15
 @fullcalendar/daygrid      ^6.1.10  →  ^6.1.15
 @fullcalendar/multimonth   ^6.1.10  →  ^6.1.15
 angular-calendar           ^0.31.0  →  ^0.31.1
 bootstrap                   ^5.3.2  →   ^5.3.3
 fullcalendar               ^6.1.10  →  ^6.1.15
 jasmine-core                ~4.6.0  →   ~4.6.1
 karma                       ~6.4.2  →   ~6.4.3
 libphonenumber-js         ^1.10.61  →  ^1.11.4
 prettier                    ^3.2.5  →   ^3.3.3
 tinymce                     ^6.8.3  →   ^6.8.4
 tslib                       ^2.6.2  →   ^2.6.3
 zone.js                    ^0.13.3  →  ^0.14.8

It is expected to have PRs only for these versions, NOT the major ones, being:

Checking /workspaces/***/package.json
[====================] 53/53 100%

 @angular-devkit/build-angular      ^16.2.14  →  ^18.1.1
 @angular/animations                ^16.2.12  →  ^18.1.1
 @angular/cdk                       ^16.2.14  →  ^18.1.1
 @angular/cli                       ^16.2.14  →  ^18.1.1
 @angular/common                    ^16.2.12  →  ^18.1.1
 @angular/compiler                  ^16.2.12  →  ^18.1.1
 @angular/compiler-cli              ^16.2.12  →  ^18.1.1
 @angular/core                      ^16.2.12  →  ^18.1.1
 @angular/forms                     ^16.2.12  →  ^18.1.1
 @angular/material                  ^16.2.14  →  ^18.1.1
 @angular/material-moment-adapter   ^16.2.14  →  ^18.1.1
 @angular/platform-browser          ^16.2.12  →  ^18.1.1
 @angular/platform-browser-dynamic  ^16.2.12  →  ^18.1.1
 @angular/router                    ^16.2.12  →  ^18.1.1
 @azure/msal-angular                 ^3.0.16  →  ^3.0.22
 @azure/msal-browser                 ^3.13.0  →  ^3.19.1
 @fullcalendar/angular               ^6.1.10  →  ^6.1.15
 @fullcalendar/daygrid               ^6.1.10  →  ^6.1.15
 @fullcalendar/multimonth            ^6.1.10  →  ^6.1.15
 @mat-datetimepicker/core            ^12.0.1  →  ^14.0.0
 @mat-datetimepicker/moment          ^12.0.1  →  ^14.0.0
 @ngx-translate/core                 ^14.0.0  →  ^15.0.0
 @ngx-translate/http-loader           ^7.0.0  →   ^8.0.0
 @tinymce/tinymce-angular             ^7.0.0  →   ^8.0.1
 @types/jasmine                       ~4.6.4  →   ~5.1.4
 angular-calendar                    ^0.31.0  →  ^0.31.1
 bootstrap                            ^5.3.2  →   ^5.3.3
 date-fns                            ^2.30.0  →   ^3.6.0
 fullcalendar                        ^6.1.10  →  ^6.1.15
 jasmine-core                         ~4.6.0  →   ~5.1.2
 karma                                ~6.4.2  →   ~6.4.3
 libphonenumber-js                  ^1.10.61  →  ^1.11.4
 ng-packagr                          ^16.2.3  →  ^18.1.0
 ngx-device-detector                  ^6.0.2  →   ^8.0.0
 ngx-translate-testing                ^6.1.0  →   ^7.0.0
 prettier                             ^3.2.5  →   ^3.3.3
 tinymce                              ^6.8.3  →   ^7.2.1
 tslib                                ^2.6.2  →   ^2.6.3
 typescript                           ~4.9.5  →   ~5.5.3
 zone.js                             ^0.13.3  →  ^0.14.8

Screenshots N/A

Extension (please complete the following information):

• Host: Azure DevOps
• Version: 1.30.0.776 (released yesterday and installed automatically yesterday at 9:28pm)

Server (please complete the following information):

• Region: West Europe
• Version: latest since hosted by MS on dev.azure.com (https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/sprint-241-update)

Additional context N/A

[rhyskoedijk]

Hi, thanks for the solid reproduction info. I've done a step-through with your config and unfortunately it seems that this is an issue with dependabot-core itself:

• https://github.com/dependabot/dependabot-core/issues/9685

From my understanding of the code; Exact dependency versions aren't resolved unless there is a package-lock.json; Without the exact dependency versions, Dependabot won't check your semver conditions.

From the comments in https://github.com/dependabot/dependabot-core/issues/9685, it sounds like this did work at one point, but regressed sometime around April 2024. There doesn't appear to be a fix available yet.

After adding a package-lock.json and changing versioning-strategy to lockfile-only, I got the behaviour I think you're expecting. This is the result when I tested tinymce:

2024/07/20 02:22:43 INFO <job_1721442159> Checking if tinymce 6.8.3 needs updating
2024/07/20 02:22:43 INFO <job_1721442159> Ignored versions:
2024/07/20 02:22:43 INFO <job_1721442159>   version-update:semver-major - from 
🌍 --> GET https://registry.npmjs.org/tinymce
🌍 <-- 200 https://registry.npmjs.org/tinymce
2024/07/20 02:22:44 INFO <job_1721442159> Filtered out 7 ignored versions
🌍 --> HEAD https://registry.npmjs.org/tinymce/-/tinymce-6.8.4.tgz
🌍 <-- 200 https://registry.npmjs.org/tinymce/-/tinymce-6.8.4.tgz
2024/07/20 02:22:44 INFO <job_1721442159> Latest version is 6.8.4
2024/07/20 02:22:44 INFO <job_1721442159> Filtered out 7 ignored versions
2024/07/20 02:22:44 INFO <job_1721442159> Requirements to unlock none
2024/07/20 02:22:44 INFO <job_1721442159> Requirements update strategy lockfile_only
2024/07/20 02:22:44 INFO <job_1721442159> Filtered out 7 ignored versions
2024/07/20 02:22:44 INFO <job_1721442159> Filtered out 7 ignored versions
2024/07/20 02:22:44 INFO <job_1721442159> Updating tinymce from 6.8.3 to 6.8.4
2024/07/20 02:22:45 INFO <job_1721442159> Submitting tinymce pull request for creation
2024/07/20 02:22:45 INFO <job_1721442159> Skipping pull request creation as it is disabled for this job.
2024/07/20 02:22:45 DEBUG <job_1721442159> Staged file changes were:
2024/07/20 02:22:45 DEBUG <job_1721442159>  🟡 updated 'package-lock.json' in '/WebAppAngular'
2024/07/20 02:22:45 INFO <job_1721442159> Finished job processing
2024/07/20 02:22:45 INFO Results:
+-------------------------------------------+
|    Changes to Dependabot Pull Requests    |
+---------+---------------------------------+
| created | tinymce ( from 6.8.3 to 6.8.4 ) |
+---------+---------------------------------+

I don't think it is feasible to fix the issue in this project, it would need to be fixed in dependabot-core.

[rdehouss]

Hello,

Thanks for your analysis! That's what I was afraid of after my analysis of the extension's code. I wasn't able to test directly with dependabot itself so I wasn't sure.

I'll report the issue there.

Thanks again and thank you for this extension!