-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependabot groups dependencies incorrectly #7707
Comments
possibly related to #7695, although in this case the dependencies do need updating. Common points seep to include use of sorbet & installing gems from github |
Thanks for the repro! An interesting thing is I forked it and I only get 3 PRs, sorbet-runtime gets I think this is related to #7621 but I need some more time to trace it down more. |
Yes observed similar results - I only get the grouped PR running dependabot 1 commit at a time. |
We are seeing a similar issue. Also involves gems which we install from Github |
I think one solution is to configure grouped updates. Above you said you expected a single PR, if you add grouping like so: version: 2
updates:
- package-ecosystem: 'bundler' # See documentation for possible values
directory: '/' # Location of package manifests
schedule:
interval: 'weekly'
insecure-external-code-execution: allow
groups:
everything:
patterns:
- "*" Then all the updates end up in a single PR. I tried it in a fork and it generated this PR: https://github.com/jakecoffman/dependabot-repro/pull/5 It does look like we have a bug in generating the PR body since it lists the same dependencies multiple times, but the diff itself looks reasonable. This seems to fix the rebasing issue we're seeing as well. |
This comment has been minimized.
This comment has been minimized.
I think this is fixed by either #8279 or #8267. I suspected this was being caused by a previous change where Dependabot was pulling in too many changes during a Bundler update and both of those fix that sort of issue. I reforked the repro repo and was unable to cause the same problem and the PRs look good to me. |
Is there an existing issue for this?
Package ecosystem
bundler
Package manager version
bundler 2.4.10
Language version
ruby 3.2.2
Manifest location and content before the Dependabot update
https://github.com/fcheung/dependabot-repro/blob/main/Gemfile.lock
dependabot.yml content
https://github.com/fcheung/dependabot-repro/blob/main/.github/dependabot.yml
Updated dependency
Updates sorbet-runtime from 0.5.10929 to 0.5.10946
Updates dependabot-example-dep from 7924b84 to 0.1.0
Updates puma from db06025 to 6.3.0
Updates sorbet-static from 0.5.10929 to 0.5.10946
Updates sorbet-static from 0.5.10929 to 0.5.10946
What you expected to see, versus what you actually saw
Dependabot created a single PR that updates:
it is correct that sorbet-static & sorbet-runtime should be updated together, however there is no reason to group puma with these gems and no reason to include dependabot-example-dep either - although all these gems do need updating, they should be separate PRs
sorbet static is also listed twice in the PR
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
fcheung/dependabot-repro#6
log from dependabot:
Smallest manifest that reproduces the issue
This is the smallest repro I have:
https://github.com/fcheung/dependabot-repro
It seems that when dependabot runs is important: when i created a new github repo and push all the changes in one go then I don't get the issue. however pushing the changes more incrementally and running dependabot after each commit has reproduced the issue
The text was updated successfully, but these errors were encountered: