An existing grouped PR by semvar prevents non matching individual PRs from being opened.
baseballlover723 opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
gradle
Package manager version
8.8
Language version
Java 21
Manifest location and content before the Dependabot update
https://github.com/baseballlover723/dependabot-reproduction-grouped/blob/master/build.gradle
dependabot.yml content
Updated dependency
No response
What you expected to see, versus what you actually saw
Expected to any patch and minor upgrades to be grouped together in a single PR and any dependencies that have a major update to have individual PRs.
What I actually saw:
After releasing a new major private dependency (verified that the native version upgrader could see the new version) with a grouped minor/patch PR created on the repo and then running dependabot to update. I expected a new PR (for org.springframework:spring-web: going from 5.3.36
-> 6.1.8
) to be created for my new version dependency. However, Dependabot completed successfully and did not create a new PR.
Native package manager behavior
./gradlew dependencyUpdates
> Task :dependencyUpdates
------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
- com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.51.0
The following dependencies have later milestone versions:
- com.fasterxml.jackson.core:jackson-databind [2.16.2 -> 2.17.1]
https://github.com/FasterXML/jackson
- com.google.code.gson:gson [1.7.2 -> 2.11.0]
https://github.com/google/gson
- com.google.guava:guava [32.1.3-jre -> 33.2.1-jre]
https://github.com/google/guava
- joda-time:joda-time [2.12.6 -> 2.12.7]
https://www.joda.org/joda-time/
- junit:junit [4.13.1 -> 4.13.2]
http://junit.org
- org.apache.commons:commons-lang3 [3.13.0 -> 3.14.0]
https://commons.apache.org/proper/commons-lang/
- org.springframework:spring-web [5.3.36 -> 6.1.8]
https://github.com/spring-projects/spring-framework
Gradle release-candidate updates:
- Gradle: [8.8: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.8/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD SUCCESSFUL in 1s
1 actionable task: 1 executed
Images of the diff or a link to the PR, issue, or logs
First Dependabot run (works as expected): https://github.com/baseballlover723/dependabot-reproduction-grouped/actions/runs/9424175879/job/25963954849
Later Dependabot run after adding major dependency upgrade: https://github.com/baseballlover723/dependabot-reproduction-grouped/actions/runs/9424237590/job/25964112784
Smallest manifest that reproduces the issue
https://github.com/baseballlover723/dependabot-reproduction-grouped.
This is a dummy project that I created to showcase this issue. It's not quite the same as the issue I had (which was in a private repo and is a private dependency), as I added a new updatable major dependency instead of releasing a major update for a dependency. I don't believe this should impact this bug, as I was still able to reproduce the issue.