-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot updates package to major version even if major versions are excluded #1474
Comments
@Ossiam I've attempted to reproduce this, but am not getting the same results. Could you check the below and let me know if there is anything more to your setup I am missing? dependabot.yml - package-ecosystem: 'nuget'
directories:
- '/Test-1474'
groups:
dependencies:
patterns:
- "*"
update-types:
- "minor"
- "patch"
ignore:
- dependency-name: "*"
update-types: [ "version-update:semver-major" ] Project.csproj <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFrameworks>net8.0</TargetFrameworks>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="HotChocolate.Data.EntityFramework" Version="13.9.14" />
</ItemGroup>
</Project> The result I get is
|
Hard to say, a bit hard for me to debug since I'm working with a corporate repo. I assume I'd have to change all the packages in a branch and run the Dependabot pipeline on it. I did omit the other packages in the csproj, so could try adding those:
Other than that, we're technically using Directory.packages.props with around 70 packages, but HotChocolate.Data.EntityFramework is only used in the project above. |
Describe the bug
This is probably an issue for Dependabot-CLI, but wanted to bring it up here just in case. Just tell me if I should close this one and create one there instead.
In my project I'm excluding major packages, which is working well. But recently we had a case where it upgraded a package to the major version anyway. Not sure if it only occurs for groups.
It specifically occurs for package HotChocolate.Data.EntityFramework, going from v.13.9.14 to v14.1.0
Categorization
To Reproduce
This repo: https://github.com/rhyskoedijk/dependabot-test-nuget-update-not-possible
But replace the packages with HotChocolate.Data.EntityFramework v.13.9.14 and its dependencies
Also replace dependabot.yaml with
Expected behavior
It only updates packages to the latest minor or patch version
Current behavior
HotChocolate.Data.EntityFramework is updated to latest major version
Logs
Dependabot-CLI: v1.57.0
Dependabot-azure-devops: v2.38.1062
More information
It occurs both with and without the experimental nuget flags:
experiments: 'nuget_native_analysis=true,nuget_dependency_solver=true'
The text was updated successfully, but these errors were encountered: