Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

maven

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

I'm part of the ADO Dependabot team at Microsoft.

I'm reporting a case in which Dependabot is generating a security update PR (Bump spring-framework.version from 6.1.6 to 6.1.7) when spring-framework.version 6.1.6 which is not vulnerable. The relevant parameters of the job in question are:

job:
dependencies:

• org.springframework:spring-web
  security-advisories:
• dependency-name: org.springframework:spring-web
  affected-versions:
  • '>= 6.1.0, < 6.1.6'
  • '>= 6.0.0, < 6.0.19'
  • < 5.3.34
    patched-versions:
  • 6.1.6
  • 6.0.19
  • 5.3.34
    security-updates-only: true

which are correct. There are a few odd things to observe:

• the job parameters correctly state that 6.1.6 is not vulnerable
• log statement "Checking all dependencies for version updates" -- the job parameters clearly state that security-updates-only should be "true"
• log statement stating that the "Latest version is 6.1.7" when the feed "...maven/v1/org/springframework/spring-jdbc/maven-metadata.xml" goes up to 6.1.8

I also found a similar issue on an NPM job (dependency was qs) but the log expired so I didn't get a chance to gather the specifics of that situation. But I suspect this issue affects multiple ecosystems.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response