dependabot-azure-devops: Dependabot yml config ignore (nuget) doesn't work

Describe the bug When trying to use the dependabot config ignore pattern, the ignore pattern is not used

To Reproduce Steps to reproduce the behavior:

  1. add a dependabot.yml file in the root
  2. use the nuget package eg:
# dotnet
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"
    rebase-strategy: "auto"
    open-pull-requests-limit: 99
    target-branch: "master"
    versioning-strategy: auto
    ignore:
      - dependency-name: "Microsoft.Extensions.*"
        update-types: ["semver-major"]
      - dependency-name: "Microsoft.EntityFrameworkCore.*"
        update-types: ["semver-major"]
  1. run the azure devops pipeline.
  2. PR’s are being made with Microsoft.Extensions.* from 6.0 to 7.0 -> error:
Updating Microsoft.Extensions.Configuration from 6.0.1 to 7.0.0
Submitting Microsoft.Extensions.Configuration pull request for creation.

Expected behavior To have dependencies with wildcards being ignored. I tried using the update-types and the - version option

Environment:

  • Pipeline builder: Azure Devops Pipelines
  • tingle docker version 0.10.1

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 30 (12 by maintainers)

Most upvoted comments

Possibly the reason why no one offered a repro is this not being a major/blocking issue. When it is, I always get a repro.

This works in the latest/preview bits as evidenced in the pipeline run below: https://dev.azure.com/tingle/dependabot/_build/results?buildId=53032&view=logs&j=12f1170f-54f2-53f3-20dd-22fc7dff55f9&t=1f93c1a3-255b-505a-53c9-c382114aabf5

A release is due in the course of the week. If by change you want to be on the bleeding edge, you can use a specify the input dockerImageTag: latest or dockerImageTag: '0.11.3-ci.13' so long as you can remove that later to avoid issues.

+3
mburumaxwell on Dec 12, 2022

@BoreasMun and @wcunningham1966 , thanks for posting out different behaviors based on root vs non-root directories.

Investigating this, it appears the core library fetches the configuration file relative to the passed directory and this is meant to work for both remote and locally cached update behaviors.

I took so much more time to get to understand this without a reproduction one. Arg! ADO people and their secrets!!! I created a repro https://dev.azure.com/tingle/dependabot/_git/repro-399 to help out and a fix is on the way within the hour.

+2
mburumaxwell on Dec 12, 2022

Absolutely no rush. Sorry if I sounded impatient! I really do appreciate your hard work on this. Thanks!

+1
wcunningham1966 on Dec 12, 2022

I have similar problem. Nuget check in a root directory works fine, but npm checks running in non-root directories are not taking ignore list into account. Maybe that’s the issue here?

I suspect this is the issue as my nuget check in non root directories are being ignored. I used a simplified pipeline earlier to confirm they were still not using the ignore.

+1
wcunningham1966 on Dec 7, 2022

I wish there is a way to choose what version to run so we can downgrade

+1
SabareeshGC on Dec 6, 2022

I’ve managed to partially repro this but only for npm using semver-major. Will investigate further and report back soon.

+1
mburumaxwell on Dec 3, 2022
Read more comments on GitHub
← dependabot-azure-devops: Dependabot started to fail with `reject': undefined method `blank?' for ">= 2.1.0, < 2.1.29":String (NoMethodError)
dependabot-azure-devops: Invalid auth configuration found error when an update is found in a private npm artifacts feed →