Empty/incomplete commit message

[mistic100]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

yarn

Package manager version

1

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/mistic100/Photo-Sphere-Viewer/blob/main/package.json

dependabot.yml content

version: 2
updates:
  - package-ecosystem: npm
    directory: '/'
    schedule:
      interval: daily
    assignees:
      - mistic100
    ignore:
      - dependency-name: '*'
        update-types: ['version-update:semver-patch']
      - dependency-name: '@typescript-eslint/*'
        update-types: ['version-update:semver-minor']
      - dependency-name: 'marked'
        update-types: ['version-update:semver-major']
    commit-message:
      prefix: 'chore'
      include: 'scope'
  - package-ecosystem: github-actions
    directory: '/'
    schedule:
      interval: weekly
    assignees:
      - mistic100
    commit-message:
      prefix: 'chore'
      include: 'scope'

Updated dependency

No response

What you expected to see, versus what you actually saw

Recent update commits message are empty, only containing ---, see examples bellow. On the other hand the PR title is complete.

I didn't made any recent changes in the configuration.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

• chore(deps-dev): bump turbo from 1.12.2 to 1.13.3 mistic100/Photo-Sphere-Viewer#1310
• chore(deps-dev): bump mocha and @types/mocha mistic100/Photo-Sphere-Viewer#1309
• chore(deps-dev): bump esbuild-sass-plugin from 3.2.0 to 3.3.0 mistic100/Photo-Sphere-Viewer#1312
• chore(deps-dev): bump sort-package-json from 2.8.0 to 2.10.0 mistic100/Photo-Sphere-Viewer#1311

Smallest manifest that reproduces the issue

No response

[slawekjaranowski]

One more example: https://github.com/codehaus-plexus/plexus-xml/pull/34/commits

[l0b0]

Another example (fixed manually to make it pass gitlint), with an original commit message of:

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

.github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: daily
    commit-message:
      prefix: "build(deps)"

[federicobond]

This is happening for me too with Python dependencies.

[remarkablemark]

Here's another example: https://github.com/remarkablemark/setup-codeclimate/pull/329/commits

[fredrikaverpil]

💸 🔥

[martincostello]

This appears to be affecting all package managers - I'm seeing it for GitHub Actions, npm packages and NuGet packages.

[Uaitt]

Happens in bundler too 🥲.

[mjanzs]

We have same issue on multiple private repos (maven)

[cpswan]

A little before and after example:

before

build(deps): Update atsdk requirement
Updates the requirements on [atsdk](https://github.com/atsign-foundation/at_python) to permit the latest version.

Updates `atsdk` to 0.2.14
- [Release notes](https://github.com/atsign-foundation/at_python/releases)
- [Commits](https://github.com/atsign-foundation/at_python/compare/v0.2.13...v0.2.14)

---
updated-dependencies:
- dependency-name: atsdk
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>

After

---
updated-dependencies:
- dependency-name: atsdk
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>

So it's not just missing the summary line (and failing Semantic PR checks), but there's a whole bunch of other content that's missing. Everything before --- is missing and --- becomes the commit summary :/

Those are for pip, but I'm seeing this across all package managers.

[dhensby]

In case this is helpful in tracking down when this went live:

Last good dependabot commit message I've seen was 2024-05-20T17:36:14Z and first bad commit was 2024-05-20T18:36:23Z - so looks like a dependabot release some time between 17:36 and 18:36 for the repos I've got visibility over.

[samtrion]

Same issue with the ecosystems nuget, gitmodules, github-actions & devcontainers

[zhu0629]

Same issue with the ecosystems npm, pip

[leethree]

We are seeing this in our repo when dependabot PRs were squash merged

[brunoalr]

just for completeness: it also happens on gitsubmodule ecosystem. Example: https://github.com/OpenImageDebugger/OpenImageDebugger/pull/339/commits

[matteovivona]

Same here even with package-ecosystem: "github-actions". The custom commit-message is completely ignored

[gastaldi]

Any estimate when this is going to be fixed?

[phillipuniverse]

I just squash-merged a commit about 5 minutes ago with @dependabot squash and merge and it looks like the commit message was fixed!

This one was for the github actions ecosystem.

I also confirmed one for the python ecosystem, specifically Poetry:

Looks like a fix got deployed very recently.

[johanneswuerbach]

the fix for this issue has been deployed

According to GitHub Support 🎉

[Pyker]

This appears to be fixed for new PRs, but current broken PRs are still broken, even if you do @dependbot recreate or @dependabot squash and merge.

[samtrion]

This appears to be fixed for new PRs, but current broken PRs are still broken, even if you do @dependbot recreate or @dependabot squash and merge.

Ya, you have to life with that or manually fix the git commits/history.

[TheRealWaldo]

With hundreds, if not thousands, of Dependbot PRs open with invalid ---'s in the messages, wouldn't it be at least a little better to fix @dependabot recreate to fix these?