Dependabot 'fixes' alert when an unrelated PR is merged #6928
Labels
F: dependabot-alerts
L: javascript:npm
npm packages via npm
L: python:pip
Python packages via pip
service 💁
Relates to Dependabot features GitHub provides
T: bug 🐞
Something isn't working
Comments
|
I suspect this has already been fixed, so let me close this and open a support ticket if still not working. The reason to go through a support ticket is that this repository only powers the generation of security updates, but not any behavior related to opening or closing the Dependabot alerts themselvees. That's responsability of another Github team, and you'll get to the through support 👍. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package ecosystem
pip, npm
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/metabrainz/listenbrainz-server/blob/7c28fb6d305b4b38fbd1ff39b1bbfd5bab65c686/requirements.txt
dependabot.yml content
No response
Updated dependency
redis 4.3.3 > 4.5.3
What you expected to see, versus what you actually saw
Two Dependabot alerts are marked as "Fixed" and point to a pull request that is unrelated, while the actual PR that fixes the alert is unmerged.
See https://github.com/metabrainz/listenbrainz-server/security/dependabot/55 and https://github.com/metabrainz/listenbrainz-server/security/dependabot/54 , which at the time of writing are marked as "Fixed" and point to this (merged) PR: metabrainz/listenbrainz-server#2395 (an unrelated PR which does not update the dependency in question)
The alert concerns a python server dependency, while the linked PR concerns only frontend JS code.
However, Dependabot did correctly create a new PR with the required python dependency update: metabrainz/listenbrainz-server#2428
On that PR 2428, the info bubble does point to the correct Dependabot alert:
Merging this pull request will resolve a high severity [Dependabot alert](https://github.com/metabrainz/listenbrainz-server/security/dependabot/55) on redis.For reference, we also use Dependabot to update front-end dependencies, using npm as the package manager and a package-lock.json lockfile.
The mistaken PR 2395 does update a front-end dependency and the lockfile, and the PR was merged.
Somehow this triggered Dependabot to mark the two alerts as Fixed despite the merged PR being unrelated.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/metabrainz/listenbrainz-server/security/dependabot/54
https://github.com/metabrainz/listenbrainz-server/security/dependabot/55
metabrainz/listenbrainz-server#2428
And the unrelated PR:
metabrainz/listenbrainz-server#2395
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: