search

tinglesoftware / dependabot-azure-devops

Tools for updating dependencies in Azure DevOps repositories using https://dependabot.com
MIT License
201 stars 66 forks source link

Dependabot updates package to major version even if major versions are excluded #1474

Open Ossiam opened 3 days ago

Ossiam commented 3 days ago

Describe the bug This is probably an issue for Dependabot-CLI, but wanted to bring it up here just in case. Just tell me if I should close this one and create one there instead. In my project I'm excluding major packages, which is working well. But recently we had a case where it upgraded a package to the major version anyway. Not sure if it only occurs for groups.

It specifically occurs for package HotChocolate.Data.EntityFramework, going from v.13.9.14 to v14.1.0

Categorization

To Reproduce This repo: https://github.com/rhyskoedijk/dependabot-test-nuget-update-not-possible But replace the packages with HotChocolate.Data.EntityFramework v.13.9.14 and its dependencies Also replace dependabot.yaml with

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    groups:
      dependencies:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]

Expected behavior It only updates packages to the latest minor or patch version

Current behavior HotChocolate.Data.EntityFramework is updated to latest major version Screenshot 2024-11-19 130013

Logs

updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Language.Utf8 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Language.Visitors 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Language.Web 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Subscriptions 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Subscriptions.InMemory 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Transport.Sockets 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.CursorPagination 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.Mutations 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.OffsetPagination 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.Scalars.Upload 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.Shared 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Utilities 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Utilities.DependencyInjection 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Validation 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if Microsoft.Bcl.AsyncInterfaces 1.1.1 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from

Dependabot-CLI: v1.57.0 Dependabot-azure-devops: v2.38.1062

More information It occurs both with and without the experimental nuget flags: experiments: 'nuget_native_analysis=true,nuget_dependency_solver=true'

rhyskoedijk commented 3 hours ago

@Ossiam I've attempted to reproduce this, but am not getting the same results. Could you check the below and let me know if there is anything more to your setup I am missing?

dependabot.yml

  - package-ecosystem: 'nuget'
    directories: 
     - '/Test-1474'
    groups:
      dependencies:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]

Project.csproj

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>net8.0</TargetFrameworks>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="HotChocolate.Data.EntityFramework" Version="13.9.14" />
  </ItemGroup>
</Project>

The result I get is HotChocolate.Data.EntityFramework is not updated, all available versions to update were ignored.

updater | 2024/11/22 09:49:16 INFO <job_update_0_nuget_all> Checking if HotChocolate.Data.EntityFramework 13.9.14 needs updating
updater | 2024/11/22 09:49:16 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/22 09:49:16 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
...snip...
updater | 2024/11/22 09:49:28 INFO <job_update_0_nuget_all> Filtered out 10 pre-release versions
updater | 2024/11/22 09:49:28 INFO <job_update_0_nuget_all> All updates for HotChocolate.Data.EntityFramework were ignored
...snip...
updater | 2024/11/22 09:49:28 DEBUG <job_update_0_nuget_all> Cleaning up current workspace
updater | 2024/11/22 09:49:28 INFO <job_update_0_nuget_all> Nothing to update for Dependency Group: 'dependencies'
Ossiam commented 54 minutes ago

Hard to say, a bit hard for me to debug since I'm working with a corporate repo. I assume I'd have to change all the packages in a branch and run the Dependabot pipeline on it. I did omit the other packages in the csproj, so could try adding those:

<PackageReference Include="GraphQL.Server.Ui.Voyager" Version="8.1.0" />
<PackageReference Include="HotChocolate.AspNetCore"Version="13.9.14" />
<PackageReference Include="HotChocolate.Data.EntityFramework" Version="13.9.14" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.10" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer.HierarchyId" Version="8.0.10" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />

Other than that, we're technically using Directory.packages.props with around 70 packages, but HotChocolate.Data.EntityFramework is only used in the project above.