Giters

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PR's.

Home Page:https://docs.github.com/en/code-security/dependabot

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Upgrades unrelated packages, even with incompatible versions

samtrion opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

nuget

Package manager version

nuget 6.x

Language version

.NET 6, .NET 7, .NET 8, .NET 9

Manifest location and content before the Dependabot update

/Directoy.Packages.props

<Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>
  <ItemGroup>
    <GlobalPackageReference Include="CSharpier.MSBuild" Version="0.28.0" />
    <GlobalPackageReference Include="GitVersion.MsBuild" Version="5.12.0" />
    <GlobalPackageReference Include="Microsoft.CodeAnalysis.BannedApiAnalyzers" Version="3.3.4" />
    <GlobalPackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="8.0.0" />
    <GlobalPackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
    <GlobalPackageReference Include="Microsoft.VisualStudio.Threading.Analyzers" Version="17.9.28" />
    <GlobalPackageReference Include="SonarAnalyzer.CSharp" Version="9.23.1.88495" Condition=" '$(BuildingInsideVisualStudio)' == 'true' " />
  </ItemGroup>
  <ItemGroup>
    <PackageVersion Include="ClickHouse.Client" Version="7.2.2" />
    <PackageVersion Include="Confluent.Kafka" Version="2.3.0" />
    <PackageVersion Include="coverlet.collector" Version="6.0.2" />
    <PackageVersion Include="coverlet.msbuild" Version="6.0.2" />
    <PackageVersion Include="Dapr.Client" Version="1.13.0" />
    <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="8.0.2" />
    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="7.0.16" Condition=" '$(TargetFramework)' == 'net7.0' " />
    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="6.0.27" Condition=" '$(TargetFramework)' == 'net6.0' " />
    <PackageVersion Include="Microsoft.Data.SqlClient" Version="5.1.5" />
    <PackageVersion Include="Microsoft.Data.Sqlite" Version="8.0.4" />
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
    <PackageVersion Include="MySql.Data" Version="8.3.0" />
    <PackageVersion Include="MySqlConnector" Version="2.3.6" />
    <PackageVersion Include="NetEvolve.Arguments" Version="1.1.9" />
    <PackageVersion Include="NetEvolve.Extensions.Tasks" Version="1.2.7" />
    <PackageVersion Include="NetEvolve.Extensions.XUnit" Version="2.1.7" />
    <PackageVersion Include="Npgsql" Version="8.0.2" />
    <PackageVersion Include="NSubstitute" Version="5.1.0" />
    <PackageVersion Include="Oracle.ManagedDataAccess.Core" Version="3.21.130" />
    <PackageVersion Include="System.Data.SqlClient" Version="4.8.6" />
    <PackageVersion Include="Testcontainers.ClickHouse" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.Kafka" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.MsSql" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.MySql" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.Oracle" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.PostgreSql" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.Redpanda" Version="3.8.0" />
    <PackageVersion Include="Testcontainers.SqlEdge" Version="3.8.0" />
    <PackageVersion Include="Verify.Xunit" Version="23.7.2" />
    <PackageVersion Include="xunit" Version="2.7.0" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="2.5.7" />
  </ItemGroup>
</Project>

dependabot.yml content

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

# Every time I update this file without changing the content, I increment this counter.
# Counter: 13

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "build(ci)"
    labels:
      - "dependency-actions"
    open-pull-requests-limit: 50

  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "build(deps)"
    labels:
      - "dependency-nuget"
    open-pull-requests-limit: 50
    groups:
     coverlet:
       patterns:
         - "coverlet*"
     nunit:
       patterns:
         - "nunit"
         - "nunit*"
     testcontainers:
       patterns:
         - "testcontainers*"
     verify:
       patterns:
         - "verify*"
     xunit:
       patterns:
         - "xunit"
         - "xunit*"

  - package-ecosystem: "gitsubmodule"
    directory: "/"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "build(mods)"
    labels:
      - "dependency-gitmodule"
    open-pull-requests-limit: 50
    groups:
      submodules:
        patterns:
          - "*"

  - package-ecosystem: "devcontainers"
    directory: "/"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "build(dev)"
    labels:
      - "dependency-devcontainers"
    open-pull-requests-limit: 50

Updated dependency

-    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="7.0.16" Condition=" '$(TargetFramework)' == 'net7.0' " />
-    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="6.0.27" Condition=" '$(TargetFramework)' == 'net6.0' " />
+    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="8.0.2" Condition=" '$(TargetFramework)' == 'net7.0' " />
+    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="8.0.2" Condition=" '$(TargetFramework)' == 'net6.0' " />
-    <PackageVersion Include="xunit" Version="2.7.0" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.5.7" />
+    <PackageVersion Include="xunit" Version="2.8.0" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.0" />

What you expected to see, versus what you actually saw

-    <PackageVersion Include="xunit" Version="2.7.0" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.5.7" />
+    <PackageVersion Include="xunit" Version="2.8.0" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.0" />

Native package manager behavior

Only upgrades xunit

Images of the diff or a link to the PR, issue, or logs

dailydevops/healthchecks#287

Smallest manifest that reproduces the issue

/Directoy.Packages.props

<Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>
  <ItemGroup>
    <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="8.0.2" />
    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="7.0.16" Condition=" '$(TargetFramework)' == 'net7.0' " />
    <PackageVersion Update="Microsoft.AspNetCore.TestHost" Version="6.0.27" Condition=" '$(TargetFramework)' == 'net6.0' " />
    <PackageVersion Include="xunit" Version="2.7.0" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="2.5.7" />
  </ItemGroup>
</Project>
commented

We have a similar issue where the Condition attribute isn't properly considered. Consolidating this one with #9299.