Closed emahiq closed 2 months ago
It seems like all allow-conditions require a dependency-type
, as seen here.
I modified my dependabot.yml to this, where I added dependency-type: all
:
version: 2
updates:
- package-ecosystem: nuget
directory: '/'
schedule:
interval: daily
allow:
- dependency-name: Newtonsoft.Json
dependency-type: all
This works. However, the allow section in the dependabot docs on GitHub clearly show examples where only dependency-name
is specified.
Is there a discrepancy here, where this extension mistakenly behaves differently from dependabot core? Or is this by design?
Thanks for reporting this
Just pushed release 0.19.0. It'd be great if you could test and report back.
Sorry for the late reply, was on vacation @mburumaxwell
I haven't had time to test removing dependency-type: all
from my allow
s yet, but I noticed that at the same of of this release, my allow
s are completely disregarded. Dependabot is creating PRs for all NuGet packages, whether they match an allow
or not.
Here is my dependabot.yaml
:
updates:
- package-ecosystem: nuget
directory: /ProjectName
schedule:
interval: daily
allow:
- dependency-name: Newtonsoft.Json
dependency-type: all
- dependency-name: MudBlazor
dependency-type: all
- dependency-name: Microsoft.NET.Test.Sdk
dependency-type: all
- dependency-name: xunit.*
dependency-type: all
- dependency-name: Moq
dependency-type: all
- dependency-name: coverlet.collector
dependency-type: all
- dependency-name: Amazon.*
dependency-type: all
- dependency-name: Polly.*
dependency-type: all
- dependency-name: Dapper
dependency-type: all
- dependency-name: Npgsql
dependency-type: all
- dependency-name: System.IdentityModel.Tokens.Jwt
dependency-type: all
- dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect
dependency-type: all
- dependency-name: Google.Protobuf
dependency-type: all
Yet I've been getting PRs for e.g. AWSSDK.Lambda
and Microsoft.Extensions.Configuration.Abstractions
- none of which match any of the allow
s. Can I specify a version of dependabot to use until this is fixed? We're getting a lot of PRs that we have to reject right now.
In this case it is easier to use ignore
.
The way the script works currently, ignore
is checked before allow
to ensure that ignore
has the utmost say. Maybe this will change in the future but for now ignore
is a much easier alternative.
The list would be three times as long if I used ignore
s instead. Are you saying that allow
doesn't work at all anymore? Or is there something with my particular setup that breaks it?
Recently we made a major change to an image per ecosystem. Since #711 happened before it, you cannot rollback effectively.
I will try and reproduce your issue but I cannot guarantee when that will be. In the meantime, I encourage you try ignores but I will also reopen the issue for tracking.
I understand. Thank you for the help! I'll see if we can work around this for now then.
When configuring dependabot with an allow-section in dependabot.yml, all updates are disallowed, even those that match.
dependabot-pipeline.yml:
dependabot.yml
DependabotSandbox.csproj
Both
Newtonsoft.Json
andSerilog
have newer versions available. I am expectingNewtonsoft.Json
to be updated, but notSerilog
.Log excerpt:
However, removing the allow-section altogether makes both versions update as expected. Is is as if dependabot can't understand the conditions provided with
DEPENDABOT_ALLOW_CONDITIONS
, and so interprets the allow-section as empty, effectively disallowing all updates. But that's just a guess.Is there anything that I've simply overlooked here? Is it a known problem?