Dependabot creating security update PR for non-vulnerable dependency
matjin opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
maven
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
I'm part of the ADO Dependabot team at Microsoft.
I'm reporting a case in which Dependabot is generating a security update PR (Bump spring-framework.version from 6.1.6 to 6.1.7) when spring-framework.version 6.1.6 which is not vulnerable. The relevant parameters of the job in question are:
job:
dependencies:
- org.springframework:spring-web
security-advisories: - dependency-name: org.springframework:spring-web
affected-versions:- '>= 6.1.0, < 6.1.6'
- '>= 6.0.0, < 6.0.19'
- < 5.3.34
patched-versions: - 6.1.6
- 6.0.19
- 5.3.34
security-updates-only: true
which are correct. There are a few odd things to observe:
- the job parameters correctly state that 6.1.6 is not vulnerable
- log statement "Checking all dependencies for version updates" -- the job parameters clearly state that security-updates-only should be "true"
- log statement stating that the "Latest version is 6.1.7" when the feed "...maven/v1/org/springframework/spring-jdbc/maven-metadata.xml" goes up to 6.1.8
I also found a similar issue on an NPM job (dependency was qs) but the log expired so I didn't get a chance to gather the specifics of that situation. But I suspect this issue affects multiple ecosystems.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response