Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot doesn't seem to ignore NuGet versions #6873

Closed
1 task done
DaleMckeown opened this issue Mar 20, 2023 · 2 comments
Closed
1 task done

Dependabot doesn't seem to ignore NuGet versions #6873

DaleMckeown opened this issue Mar 20, 2023 · 2 comments
Labels
E: documentation Docs issues F: dependency-ignores Allow excluding certain versions T: bug 🐞 Something isn't working

Comments

@DaleMckeown
Copy link

DaleMckeown commented Mar 20, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

NuGet

Package manager version

No response

Language version

This is running on an Azure DevOps pipeline, using the Dependabot Azure Extension - https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/extension/README.md#usage

Manifest location and content before the Dependabot update

project.csproj file:

<ItemGroup>
    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="6.0.14" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="6.0.14" />
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
  </ItemGroup>

dependabot.yml content

Contents of my .github/dependabot.yml file:

version: 2
registries:
  nuget-private:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/{teamName}/_packaging/{teamName}/nuget/v3/index.json
    token: ':{patToken}'
  nuget-public:
    type: nuget-feed
    url: https://api.nuget.org/v3/index.json
updates:
  - package-ecosystem: nuget
    directory: '/'
    registries: '*'
    schedule:
      interval: weekly
    open-pull-requests-limit: 50
    ignore:
      - dependency-name: 'Microsoft.EntityFrameworkCore'
        versions: ['7.x']
      - dependency-name: 'Microsoft.EntityFrameworkCore.Relational'
        versions: ['7.x']

Updated dependency

If this worked as expected with dependabot ignoring version 7 packages, I would expect two PRs, updating:

Microsoft.EntityFrameworkCore to 6.0.15
Microsoft.EntityFrameworkCore.Relational to 6.0.15

What you expected to see, versus what you actually saw

Instead, I see two PRs, updating to version 7. It is as if the ignore parameters are not being adhered to.

Microsoft.EntityFrameworkCore to 7.0.4
Microsoft.EntityFrameworkCore.Relational to 7.0.4

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Pipeline logs the following:

Checking if Microsoft.EntityFrameworkCore.Relational 6.0.14 needs updating
...
Requirements to unlock own
Requirements update strategy
Updating Microsoft.EntityFrameworkCore.Relational from 6.0.14 to 7.0.4
...
Submitting Microsoft.EntityFrameworkCore.Relational pull request for creation.
Created pull request for Microsoft.EntityFrameworkCore.Relational

Smallest manifest that reproduces the issue

No response

Update:

Changing my .github/dependabot.yml ignore config to:

ignore:
    - dependency-name: 'Microsoft.EntityFrameworkCore'
       versions: ['7.x']
       update-types: ['version-update:semver-major']
    - dependency-name: 'Microsoft.EntityFrameworkCore.Relational'
       versions: ['7.x']
       update-types: ['version-update:semver-major']

Gives me the desired results in this case. I don't understand why I can't just target the specific version of the NuGet package, though. Seems like a bug to me?
@DaleMckeown DaleMckeown added the T: bug 🐞 Something isn't working label Mar 20, 2023
@DaleMckeown
Copy link
Author

The solution was to use a * instead of an x. Packages now being ignored.

versions: ['7.*']

DaleMckeown added a commit to DaleMckeown/docs that referenced this issue Mar 20, 2023
@DaleMckeown
Updates docs to help NuGet users
95c2d2f 
Helps point NuGet users to the right syntax for ignoring versions - more info: dependabot/dependabot-core#6873
@DaleMckeown DaleMckeown mentioned this issue Mar 20, 2023
Merged
2 tasks
@jeffwidman
Copy link
Member

Thanks for letting us know and opening the PR to improve the docs! Much appreciated ❤️

@jeffwidman jeffwidman added E: documentation Docs issues F: dependency-ignores Allow excluding certain versions labels Mar 22, 2023
@DaleMckeown DaleMckeown mentioned this issue Apr 3, 2023
Closed
@SeanFeldman SeanFeldman mentioned this issue May 30, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
E: documentation Docs issues F: dependency-ignores Allow excluding certain versions T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeffwidman @DaleMckeown