-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot "update-type" not available in metadata retrieved for PR #499
Comments
Similar but not the same: #339. On that bug report it's about the |
@Nishnha could you give me some information about this issue? |
@simonschaufi fetch-metadata/src/dependabot/update_metadata.ts Lines 58 to 82 in 325b863
In the above example, the commit message was as follows.
There are two possible solutions. @Nishnha |
I think option 1 is the easier and better solution here. |
Hi are these PRs that address a security update? We don't include the update-type for security updates at the moment. |
To add more context, so far we've purposefully avoided exposing I realize security by obscurity isn't great, and technically someone could figure this out themselves by cross-referencing CVE data with library versions... but still, let's not make the bad guys job easier. One idea we've considered is that the risk is much lower for innersource/private repos, so we could optionally expose it for them. But suddenly this gets a bit more complicated and requiring more engineering time and so far it's not that frequently requested by users. So I don't expect us to actually spend any time on this anytime soon. |
This used to work and just seeing that update-type is set to null after I enabled group security updates. |
Hello, I have the same issue like this person: Dependabot "update-type" not available in metadata retrieved for PR using dependabot/fetch-metadata@v1
For example here: https://github.com/simonschaufi/php-libkml/actions/runs/8285139412/job/22672206081
As you can see,
outputs.update-type
is alwaysnull
This is my workflow: https://github.com/simonschaufi/php-libkml/blob/main/.github/workflows/dependabot-auto-merge.yml
Is there some misconfiguration or is this really a bug?
The text was updated successfully, but these errors were encountered: