Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot updates package to major version even if major versions are excluded #1474

Open
1 task done
Ossiam opened this issue Nov 19, 2024 · 2 comments
Open
1 task done

Comments

@Ossiam
Copy link

Ossiam commented Nov 19, 2024

Describe the bug
This is probably an issue for Dependabot-CLI, but wanted to bring it up here just in case. Just tell me if I should close this one and create one there instead.
In my project I'm excluding major packages, which is working well. But recently we had a case where it upgraded a package to the major version anyway. Not sure if it only occurs for groups.

It specifically occurs for package HotChocolate.Data.EntityFramework, going from v.13.9.14 to v14.1.0

Categorization

To Reproduce
This repo: https://github.com/rhyskoedijk/dependabot-test-nuget-update-not-possible
But replace the packages with HotChocolate.Data.EntityFramework v.13.9.14 and its dependencies
Also replace dependabot.yaml with

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    groups:
      dependencies:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]

Expected behavior
It only updates packages to the latest minor or patch version

Current behavior
HotChocolate.Data.EntityFramework is updated to latest major version
Screenshot 2024-11-19 130013

Logs

updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Language.Utf8 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Language.Visitors 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Language.Web 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Subscriptions 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Subscriptions.InMemory 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Transport.Sockets 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.CursorPagination 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.Mutations 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.OffsetPagination 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.Scalars.Upload 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Types.Shared 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Utilities 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Utilities.DependencyInjection 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if HotChocolate.Validation 13.9.14 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Latest version is 13.9.14
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Checking if Microsoft.Bcl.AsyncInterfaces 1.1.1 needs updating
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/19 11:07:29 INFO <job_update_0_nuget_all>   version-update:semver-major - from 

Dependabot-CLI: v1.57.0
Dependabot-azure-devops: v2.38.1062

More information
It occurs both with and without the experimental nuget flags:
experiments: 'nuget_native_analysis=true,nuget_dependency_solver=true'

@rhyskoedijk
Copy link
Contributor

rhyskoedijk commented Nov 22, 2024

@Ossiam I've attempted to reproduce this, but am not getting the same results. Could you check the below and let me know if there is anything more to your setup I am missing?

dependabot.yml

  - package-ecosystem: 'nuget'
    directories: 
     - '/Test-1474'
    groups:
      dependencies:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major" ]

Project.csproj

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>net8.0</TargetFrameworks>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="HotChocolate.Data.EntityFramework" Version="13.9.14" />
  </ItemGroup>
</Project>

The result I get is HotChocolate.Data.EntityFramework is not updated, all available versions to update were ignored.

updater | 2024/11/22 09:49:16 INFO <job_update_0_nuget_all> Checking if HotChocolate.Data.EntityFramework 13.9.14 needs updating
updater | 2024/11/22 09:49:16 INFO <job_update_0_nuget_all> Ignored versions:
updater | 2024/11/22 09:49:16 INFO <job_update_0_nuget_all>   version-update:semver-major - from 
...snip...
updater | 2024/11/22 09:49:28 INFO <job_update_0_nuget_all> Filtered out 10 pre-release versions
updater | 2024/11/22 09:49:28 INFO <job_update_0_nuget_all> All updates for HotChocolate.Data.EntityFramework were ignored
...snip...
updater | 2024/11/22 09:49:28 DEBUG <job_update_0_nuget_all> Cleaning up current workspace
updater | 2024/11/22 09:49:28 INFO <job_update_0_nuget_all> Nothing to update for Dependency Group: 'dependencies'

@Ossiam
Copy link
Author

Ossiam commented Nov 22, 2024

Hard to say, a bit hard for me to debug since I'm working with a corporate repo. I assume I'd have to change all the packages in a branch and run the Dependabot pipeline on it. I did omit the other packages in the csproj, so could try adding those:

<PackageReference Include="GraphQL.Server.Ui.Voyager" Version="8.1.0" />
<PackageReference Include="HotChocolate.AspNetCore"Version="13.9.14" />
<PackageReference Include="HotChocolate.Data.EntityFramework" Version="13.9.14" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.10" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer.HierarchyId" Version="8.0.10" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />

Other than that, we're technically using Directory.packages.props with around 70 packages, but HotChocolate.Data.EntityFramework is only used in the project above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants