Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot updating dependencies from wrong package manager #2965

Closed
amogkam opened this issue Jan 11, 2021 · 7 comments
Closed

Dependabot updating dependencies from wrong package manager #2965

amogkam opened this issue Jan 11, 2021 · 7 comments
Labels
T: bug 🐞 Something isn't working

Comments

@amogkam
Copy link

amogkam commented Jan 11, 2021

We have recently added Dependabot for our repo and want to do pip updates only, but Dependabot is updating Java dependencies as well even though this is not configured.

Our dependabot.yml file looks like this:

version: 2
updates:
  # Tune/SGD/Doc requirements
  - package-ecosystem: "pip"
    # The requirements base directory currently only contains tune requirements.
    # If we want to add more requirements here (Core, RLlib, etc.), then we should make subdirectories for each one.
    directory: "/python/requirements"
    schedule:
      # TODO(amogkam) change this to weekly after some initial validation.
      interval: "daily"
      # 8 PM
      time: "20:00"
      # Use Pacific Standard Time
      timezone: "America/Los_Angeles"
    commit-message:
      prefix: "[tune]"
      include: "scope"
    # Only 3 upgrade PRs at a time.
    open-pull-requests-limit: 3
    reviewers:
      - "ray-project/ray-tune"

Only pip updates should be setup, but Dependabot has been creating PRs for Java updates and in a different directory than what's specified here.
ray-project/ray#13316
ray-project/ray#13317

Is there anything that's wrong with our yaml file? If Java package manager is not configured I would expect Dependabot not to make any PRs to update the Java dependencies.

@amogkam amogkam added the T: bug 🐞 Something isn't working label Jan 11, 2021
@amogkam
Copy link
Author

amogkam commented Jan 11, 2021

Also the Dependabot tab on the repo is only showing Python, so it's very odd why it's updating Java dependencies as well.
image

@qnighy
Copy link
Contributor

qnighy commented Jan 12, 2021

I'm also getting npm/yarn updates for a repository where only gomod and docker updates are enabled.

@feelepxyz
Copy link
Contributor

@amogkam it looks like those PRs are from Dependabot security updates which where generated from the dependabot alert page under the repository security tab. You can also disable automated security updates from the repo settings > security & analysis page (or for all repos from org settings > security & analysis settings).

We're aware of the issue between configuring version updates (config file only) which run on a schedule and security updates (triggered from dependabot alerts, both manually for old alerts and automatically when new alerts are found on the repo). We have some plans to improve this in the future.

@amogkam
Copy link
Author

amogkam commented Jan 13, 2021

@feelepxyz are Dependabot security updates automatically enabled? We never enabled it manually.

@amogkam
Copy link
Author

amogkam commented Jan 13, 2021

Also, these security update PRs are still considered as part of the 3 open PRs quota that we have set in the dependabot.yaml file. Is that expected? Or are security updates supposed to be completely separate from version updates?

@amogkam
Copy link
Author

amogkam commented Jan 13, 2021

Ah @feelepxyz never mind about it being automatically enabled. Looks like someone from our side triggered the security update PRs.

@feelepxyz
Copy link
Contributor

Also, these security update PRs are still considered as part of the 3 open PRs quota that we have set in the dependabot.yaml file. Is that expected? Or are security updates supposed to be completely separate from version updates?

No not currently, there's a separate open pull request limit (10) that only applies to automatically opened security updates, you can create any number of security updates if you trigger them manually.

feelepxyz added a commit that referenced this issue Apr 16, 2021
Changes since 7.7.4: https://github.com/npm/cli/blob/latest/CHANGELOG.md

## v7.10.0 (2021-04-15)

### FEATURES

* [`f9b639eb6`](npm/cli@f9b639e)
  [#3052](npm/cli#3052)
  feat(bugs): fall back to email if provided
  ([@Yash-Singh1](https://github.com/Yash-Singh1))
* [`8c9e24778`](npm/cli@8c9e247)
  [#3055](npm/cli#3055)
  feat(version): add workspace support
  ([@wraithgar](https://github.com/wraithgar))

### DEPENDENCIES

* [`f1e6743a6`](npm/cli@f1e6743)
  `[email protected]`
    * feat(retrieve-tag): retrieve unannotated git tags
    * fix(retrieve-tag): use semver to look for semver
* [`3b476a24c`](npm/cli@3b476a2)
  `@npmcl/[email protected]`
    * fix(git): do not use shell when calling git
* [`dfcd0c1e2`](npm/cli@dfcd0c1)
  [#3069](npm/cli#3069)
  `[email protected]`

### DOCUMENTATION

* [`90b61eda9`](npm/cli@90b61ed)
  [#3053](npm/cli#3053)
  fix(contributing.md): explicitely outline dep updates
  ([@darcyclarke](https://github.com/darcyclarke))

## v7.9.0 (2021-04-08)

### FEATURES

* [`1f3e88eba`](npm/cli@1f3e88e)
  [#3032](npm/cli#3032)
  feat(dist-tag): add workspace support
  ([@nlf](https://github.com/nlf))
* [`6e31df4e7`](npm/cli@6e31df4)
  [#3033](npm/cli#3033)
  feat(pack): add workspace support
  ([@wraithgar](https://github.com/wraithgar))

### DEPENDENCIES

* [`ba4f7fea8`](npm/cli@ba4f7fe)
  `[email protected]`

## v7.8.0 (2021-04-01)

### FEATURES


* [`8bcc5d73f`](npm/cli@8bcc5d7)
  [#2972](npm/cli#2972)
  feat(workspaces): add repo and docs
  ([@wraithgar](https://github.com/wraithgar))
* [`ec520ce32`](npm/cli@ec520ce)
  [#2998](npm/cli#2998)
  feat(set-script): implement workspaces
* [`32717a60e`](npm/cli@32717a6)
  [#3001](npm/cli#3001)
  feat(view): add workspace support
  ([@wraithgar](https://github.com/wraithgar))
* [`7b177e43f`](npm/cli@7b177e4)
  [#3014](npm/cli#3014)
  feat(config): add 'envExport' flag
  ([@isaacs](https://github.com/isaacs))

### BUG FIXES

* [`4c4252348`](npm/cli@4c42523)
  [#3016](npm/cli#3016)
  fix(usage): specify the key each time for multiples
  ([@isaacs](https://github.com/isaacs))
* [`9237d375b`](npm/cli@9237d37)
  [#3013](npm/cli#3013)
  fix(docs): add workspaces configuration
  ([@wraithgar](https://github.com/wraithgar))
* [`cb6eb0d20`](npm/cli@cb6eb0d)
  [#3015](npm/cli#3015)
  fix(ERESOLVE): better errors when current is missing
  ([@isaacs](https://github.com/isaacs))

### DEPENDENCIES

* [`61da39beb`](npm/cli@61da39b)
  `@npmcli/[email protected]`
  * feat(config): add support for envExport:false
* [`fb095a708`](npm/cli@fb095a7)
  `@npmcli/[email protected]`:
  * [#2896](npm/cli#2896) Provide currentEdge in
  ERESOLVE if known, and address self-linking edge case.
  * Add/remove dependencies to/from workspaces when set, not root project
  * Only reify the portions of the dependency graph identified by the
  `workspace` configuration value.
  * Do not recursively `chown` the project root path.

## v7.7.6 (2021-03-29)

### BUG FIXES

* [`9dd2ed518`](npm/cli@9dd2ed5)
  fix empty newline printed to stderr
  ([@ruyadorno](https://github.com/ruyadorno))
* [`9d391462a`](npm/cli@9d39146)
  [#2973](npm/cli#2973)
  fix spelling in workspaces.md file
  ([@sethomas](https://github.com/sethomas))
* [`4b100249a`](npm/cli@4b10024)
  [#2979](npm/cli#2979)
  change 'maxsockets' default value back to 15
  ([@wallrat](https://github.com/wallrat))

### DEPENDENCIES

* [`a28f89572`](npm/cli@a28f895)
  `[email protected]`
    * fix reading `script-shell` config on `npm version` lifecycle scripts
* [`03734c29e`](npm/cli@03734c2)
  `[email protected]`
    * fix packaging `bundledDependencies`
* [`80ce2a019`](npm/cli@80ce2a0)
  `@npmcli/[email protected]`
    * fix error auditing package documents with missing dependencies

## v7.7.5 (2021-03-25)

### BUG FIXES

* [`95ba87622`](npm/cli@95ba876)
  [#2949](npm/cli#2949)
  fix handling manual indexes in `npm help`
  ([@dmchurch](https://github.com/dmchurch))
* [`59cf37962`](npm/cli@59cf379)
  [#2958](npm/cli#2958)
  always set `npm.command` to canonical command name
  ([@isaacs](https://github.com/isaacs))
* [`1415b4bde`](npm/cli@1415b4b)
  [#2964](npm/cli#2964)
  fix(config): properly translate user-agent
  ([@wraithgar](https://github.com/wraithgar))
* [`59271936d`](npm/cli@5927193)
  [#2965](npm/cli#2965)
  fix(config): tie save-exact/save-prefix together
  ([@wraithgar](https://github.com/wraithgar))

### TESTS

* [`97b415287`](npm/cli@97b4152)
  [#2959](npm/cli#2959)
  add smoke tests
  ([@ruyadorno](https://github.com/ruyadorno))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T: bug 🐞 Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants