Error Creating Pull Request with Dependabot V2 for NuGet Packages

[Ammanyi]

Describe the bug
I am managing NuGet packages, specifically SumNumbers, in Azure Artifacts and have configured the following dependabot.yml file for version updates. The pipeline triggers using Dependabot with the below configuration:

dependabot.yml

version: 2
updates:
-package-ecosystem: "nuget" # See documentation for possible values
  directory: "/Dependency/ConsoleApp1" # Location of package manifests
  target-branch: "main"
  labels:
    - "NGHistory"
    - "SumNumbers"
    - "Nuget dependencies"
  commit-message:
      prefix: "Nuget SumNumbers Dependency Update"
  allow:
    - dependency-name: "SumNumbers"
  open-pull-requests-limit: 5
  registries:
      - azure_artifacts
registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://pkgs.dev.azure.com/MyProject/47ad2345353535/_packaging/learningfeed/nuget/v3/index.json"
    token: "PAT:<PAT_TOKEN>"

azure-pipelines.yml

- task: dependabot@2
  inputs:
    setAutoComplete: true
    mergeStrategy: 'noFastForward'
    autoApprove: false
    autoApproveUserToken: '<PAT>'
    azureDevOpsAccessToken: '<PAT>'

In the logs, Dependabot successfully detects the latest NuGet package versions. However, when attempting to create the pull request with Dependabot V2, I encounter the following error:

##[error]Failed to create pull request: TypeError: Cannot read properties of null (reading 'pullRequestId')

Categorization

• This is not a permissions issue (Seek help at 403 error when Dependabot tries to create a pull request #1245)

Expected behavior
The new Dependabot V2 should able to detect any new nuget version and create a PR.

Logs and screenshots
_Creating pull request 'Bump the dev-dependencies group in /Dependency/ConsoleApp1 with 2 updates'...
Pushing 1 change(s) to branch 'dependabot/nuget/main/dev-dependencies-9c2157c9ac'...
Creating pull request to merge 'dependabot/nuget/main/dev-dependencies-9c2157c9ac' into 'main'...
Adding dependency metadata to pull request properties...
##[error]Failed to create pull request: TypeError: Cannot read properties of null (reading 'pullRequestId')
TypeError: Cannot read properties of null (reading 'pullRequestId')
at AzureDevOpsWebApiClient.createPullRequest (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/utils/azure-devops/AzureDevOpsWebApiClient.js:191:48)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async DependabotOutputProcessor.process (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/utils/dependabot-cli/DependabotOutputProcessor.js:66:42)
at async DependabotCli.update (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/utils/dependabot-cli/DependabotCli.js:101:51)
at async run (/home/vsts/work/tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/index.js:72:50)
Processing output 'mark_as_processed' with data: { 'base-commit-sha': '34acc3f01c7f67e215cc5a135a24dce63ed5dd36' }
##[error]1 update job(s) failed, check logs for more information

Extension (please complete the following information):

• Host Azure DevOps
• Version 1.35.3.955

Additional context
I have recently migrated to Dependabot V2 from the previous version. In the past, the configuration worked smoothly for triggering PRs in Azure Pipelines with dependabot@1. However, the new setup seems to fail during the PR creation step, despite successful version detection.

I am currently using Azure Artifacts to host NuGet packages, and the pipeline is designed to handle updates for multiple projects. The error occurs consistently with the Dependabot V2 task, and I haven’t been able to identify what might be causing the failure in creating the pull request, particularly the pullRequestId not being read correctly.

[bene-tleilax-werdna]

Thank you for creating this issue, I was going to open one myself. I experience the exact same issue with npm.

I have also exhausted all of the permission steps referenced in #1245.

I thought I was just doing something wrong, but I can't identify what it may be. The error seems to reference this or this but I am not knowledgeable enough to determine how or what is the cause of the error here.

Error:

Creating pull request 'chore(deps): bump the all-dependencies group with 269 updates'...
 - Pushing 2 change(s) to branch 'dependabot/npm_and_yarn/main/all-dependencies-8c0fc2b678'...
 - Creating pull request to merge 'dependabot/npm_and_yarn/main/all-dependencies-8c0fc2b678' into 'main'...
 - Adding dependency metadata to pull request properties...
##[error]Failed to create pull request: TypeError: Cannot read properties of null (reading 'pullRequestId')
TypeError: Cannot read properties of null (reading 'pullRequestId')
    at AzureDevOpsWebApiClient.createPullRequest (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/utils/azure-devops/AzureDevOpsWebApiClient.js:191:48)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async DependabotOutputProcessor.process (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/utils/dependabot-cli/DependabotOutputProcessor.js:66:42)
    at async DependabotCli.update (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/utils/dependabot-cli/DependabotCli.js:101:51)
    at async run (/home/vsts/work/_tasks/dependabot_d98b873d-cf18-41eb-8ff5-234f14697896/2.35.955/index.js:72:50)

pipeline.yaml:

  - task: dependabot@2
    displayName: Dependabot V2
    inputs:
      setAutoComplete: false
      mergeStrategy: squash
      autoApprove: false
    retryCountOnTaskFailure: 3
    timeoutInMinutes: 240
    env:
      TOKEN: $(System.AccessToken)

dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm_and_yarn"
    directory: "/"
    registries:
      - private
      - npm
    target-branch: "main"
    commit-message:
      prefix: "chore(deps)"
    versioning-strategy: increase-if-necessary
    allow:
      - dependency-type: "all"
    groups:
      all-dependencies:
        patterns:
          - "*"
        commit-message:
          prefix: "chore(deps)"
registries:
  private:
    type: npm-registry
    url: <url>
    token: ${{TOKEN}}
  npm:
    type: npm-registry
    url: https://registry.npmjs.org/

[bene-tleilax-werdna]

Interestingly, I just noticed this works on a separate pipeline I have setup for a pip/Python app. In that instance, I notice that I have autoApprove: true set versus in @Ammanyi and the failing example I provided previously, we have autoApprove: false. Obviously though, we need to be able to reliably set auto-approval to false when these pipelines run, in some cases app development teams need to be able to review the dependency updates Dependabot identifies.

Edit: I tried to set autoApprove: true on the failing example and still encountered the same error.

Here's my working example.

pipeline.yaml:

- task: dependabot@2
  displayName: Dependabot V2
  inputs:
    setAutoComplete: true
    mergeStrategy: squash
    autoApprove: true
  retryCountOnTaskFailure: 3

dependabot.yml:

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    target-branch: "main"
    commit-message:
      prefix: "chore(deps)"
    ignore:
      - dependency-name: "kubernetes"
      - dependency-name: "elasticsearch"
    allow:
      - dependency-type: "all"
    groups:
      all-dependencies:
        patterns:
          - "*"
        commit-message:
          prefix: "chore(deps)"

[rhyskoedijk]

@Ammanyi thanks for the report; I ran in to this issue last week too.
I've started a fix in #1385, but it is still in-progress. Hopefully resolved in a few days.

[Ammanyi]

Thank you quick turn up, @rhyskoedijk. I really appreciate you looking into it. It's good to know that a fix is in progress. I'll keep an eye on #1385 and look forward to the resolution in the coming days. Let me know if there's anything I can do to help or test once it's ready! 😊