Dependabot ignores dependencies even if they have a higher version than the ignored version.

[na1307]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/Directory.Packages.props

dependabot.yml content

https://github.com/na1307/SimpleSixtarScorecard/blob/b8467df433c933f0b9a1ab04c37c2067524aac92/.github/dependabot.yml

Updated dependency

JsonSchema.Net

What you expected to see, versus what you actually saw

The dependency is marked as ignored for [>= 7.0.a, < 7.1], but dependabot ignores it even though the current latest version is 7.2.3.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[brettfo]

Do you have a log file you could share? The dependabot.yml doesn't contain any ignore conditions, so they must have been injected elsewhere and the full log should contain those details.

[na1307]

I ignored it using a dependabot ignore command. (#9916 and na1307/SimpleSixtarScorecard#5) I have a Dependabot Actions log, but I don't know which one to link to.

[smcvb]

I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests.
As off last week, Dependabot has started to included ignored dependencies again.

One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.

Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json

[na1307]

I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests.
As off last week, Dependabot has started to included ignored dependencies again.

One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.

Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json

It seems different in my case. In my case, Dependabot ignores the dependency even though there is a newer version that is outside the ignored dependency version range. It seems to be the exact opposite of your case.

[amazimbe]

I am faced with the same issue as @na1307. I maintain a relatively big set of Java-based projects that are updated weekly by dependabot in grouped pull requests. As off last week, Dependabot has started to included ignored dependencies again.

One of those projects is the Axon Server Connector for Java project, where this Dependabot pull request is a concrete example.

Here are the logs for that job: axonserver-connector-java_AxonIQ_72920becbc1912680d9cbcaccd8ca146ba7aaf02.json

@smcvb I've responded on the closed PR but just to close the loop:

We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.

[smcvb]

@smcvb I've responded on the closed PR but just to close the loop:

We made a change 3 weeks ago to follow the maven version identifier specification . Based on this, 5.0.a0 == 5.0.alpha < 5.0.a. The first 2 are prereleases but 5.0.a is not. Likewise with 5.a. If you use 5.0a0 and 5.a0, respectively, everything should work as before.

Thanks for the quick response, @amazimbe!
So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?

[amazimbe]

Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?

That's correct.

[brettfo]

Thank you to everybody for the additional information.

As to the original issue of version 7.2.3 not getting selected, that is indeed a bug and will need some more investigation.

As for the other issues like 5.0.a, that's an alternate syntax for a wildcard version. The short answer is that a single letter is treated as an asterisk *, so 5.0.a is interpreted as 5.0.* which is why it matches 5.0.0.

[smcvb]

After @amazimbe helpful comment, I went and removed all comment-based ignore rules from the repositories I maintain.
Just to clarify, this is the approach I took:

Thanks for the quick response, @amazimbe! So, if I follow you and the linked description correctly, the fact the Mockito 5.0.0 release is added to my Dependabot PRs, is because I set ignore rules for 5.a and 5.0.a, where the latter causes the match with 5.0.0, right?

That's correct.

Either I have configured something incorrectly, or we are missing some other pointers at this stage.
Because this Dependabot pull request still added the aforementioned Mockito 5.0.0 dependency, while the ignore rules for this dependency are as follows:

org.mockito:mockito-core [>= 5.a, < 6] -> Can be found in this comment in the referred-to pull request.

Hence, the 5.0.a match was removed. This match was introduced through the @dependabot ignore [this] minor version command.
The leftover ignore rule is from invoking @dependabot ignore [this] major version.

So, if anybody can guide me on why a major release is still included while it has been ignored, that would be great!

If the recommendation is to use ignore rules in the dependabot.yml instead of using the GitHub comments, I am all for trying, by the way.

[amazimbe]

@smcvb here is the maven issue ticket: #10798. It's unrelated to this nuget issue.

[na1307]

This issue seems to be resolved now: na1307/SimpleSixtarScorecard#18