Listing unchanged dependency twice in the update PR

[iesahin]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

bundler

Package manager version

Bundler version 2.4.10

Language version

ruby 3.2.2 (2023-03-30 revision e51014f9c0) [arm64-darwin21]

Manifest location and content before the Dependabot update

/Gemfile

The relevant part is

# JWT auth servr/provider for the frontend to authenticate with rails
# Need to use this specific commit, which is unofficially the 2.2 release,
#   because the new version hasn't been released to RubyGems yet.
# See https://davidgay.org/programming/jwt-auth-rails-6-knock/
# and https://github.com/nsarno/knock/issues/250
gem "knock", github: "nsarno/knock", branch: "master" # rubocop:disable Bundler/GemVersion

and

/Gemfile.lock

GIT
  remote: https://github.com/nsarno/knock.git
  revision: 8e8b3e8d29eccb83a83ea2449e006250f025632a
  branch: master
  specs:
    knock (2.2.0)
      bcrypt (~> 3.1)
      jwt (~> 2.2.1)
      rails (>= 5)

...

knock!

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "tuesday"
    # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#commit-message
    commit-message:
      # Use our PR title naming convention
      prefix: "UPGRADE - "
    reviewers:
      - "bmulholland"
      - "kmewhort"
      - "nikasvan"
      - "iesahin"

  - package-ecosystem: "bundler"
    directory: "/"
    allow:
      # By default, dependabot updates only direct dependencies. This updates
      # sub-/transitive dependencies
      - dependency-type: "all"
    schedule:
      interval: "weekly"
      day: "tuesday"
      # Emre prefers these at noon his time
      timezone: "Turkey"
      time: "12:00"
    commit-message:
      # Use our PR title naming convention
      prefix: "UPGRADE - "
    groups:
      # Dependabot grouped updates:
      # Docs at https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
      # This is the name of your group, it will be used in PR titles and branch
      # names
      dependencies:
        patterns:
          - "*"

Updated dependency

knock: 8e8b3e8 to 2.2.0 (listed twice)
https://github.com/nsarno/knock

What you expected to see, versus what you actually saw

Nothing. No new version is released.

Native package manager behavior

bundler upgrade doesn't upgrade the package.

Images of the diff or a link to the PR, issue, or logs

Changed files doesn't have the knock line.

Smallest manifest that reproduces the issue

No response

[bmulholland]

Note also a related bug, where the previous version is listed as a commit, which is incorrect. They were upgraded from a previous version number.

[abdulapopoola]

@bmulholland does this bug still repro?

[bmulholland]

The issue filed hasn't repro'd in a while, though that could be because we're using less version pins now. Happy for this one to be closed out.

However, there's a similar issue, where upgraded dependencies are shown twice in the table. Here's a screenshot from today's upgrade PR:

[abdulapopoola]

Thanks, hoping we get someone to take a look at this from our end soon too.

[honeyankit]

@bmulholland Is it possible to provide the manifest file along with dependabot.yml file which resulted in the duplicate upgraded dependencies to easily reproduce the issue. I am not able to reproduce it at my end.

[bmulholland]

@honeyankit Sure -- emailed them to you directly.

[honeyankit]

@bmulholland With you manifest files, I was easily able to produce the issue and fix it.

[bmulholland]

Glad it helped. Thanks for the fix!

[bmulholland]

@honeyankit Could your fix have caused this regression? #9457