Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependabot (gomod) upgrades "minor" versions when it says it is upgrading "patch" versions #7607

Closed
1 task done
julio-lopez opened this issue Jul 21, 2023 · 1 comment
Closed
1 task done

dependabot (gomod) upgrades "minor" versions when it says it is upgrading "patch" versions #7607

julio-lopez opened this issue Jul 21, 2023 · 1 comment
Labels
T: bug 🐞 Something isn't working

Comments

@julio-lopez
Copy link

julio-lopez commented Jul 21, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

gomod

Package manager version

Go 1.19

Language version

Go 1.19

Manifest location and content before the Dependabot update

https://github.com/kanisterio/kanister/blob/0ec651b1a6a5a10ad98c5fd1698aa673d72c4d70/go.mod

dependabot.yml content

https://github.com/kanisterio/kanister/blob/0ec651b1a6a5a10ad98c5fd1698aa673d72c4d70/.github/dependabot.yml

Updated dependency

Various in the k8s.io/* group, from 0.26.3 to supposedly 0.26.x (0.26.7).

See PR here kanisterio/kanister#2207

What you expected to see, versus what you actually saw

Expected

An update of the k8s.io/* packages with a patch upgrade. There is an ignore rule in the config for this. The PR message and description misleadingly appear to indicate that patch updates are being performed.

Bumps the k8s group with 6 updates:

Package Update
k8s.io/api 0.26.3 to 0.26.7
k8s.io/apiextensions-apiserver 0.26.3 to 0.26.7
k8s.io/cli-runtime 0.26.3 to 0.26.7
k8s.io/kubectl 0.26.3 to 0.26.7
sigs.k8s.io/controller-runtime 0.14.6 to 0.15.0
sigs.k8s.io/kustomize/kyaml 0.13.9 to 0.14.3

See PR: kanisterio/kanister#2207 (comment)

Actual result

A minor (not patch) version upgrade of the k8s.io/* packages (from 0.26.x => 0.27.x), which is inconsistent with the PR message and the expected behavior according to the configuration.

See resulting go.mod file in the corresponding PR https://github.com/kanisterio/kanister/pull/2207/files

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

kanisterio/kanister#2207

Smallest manifest that reproduces the issue

No response
@julio-lopez julio-lopez added the T: bug 🐞 Something isn't working label Jul 21, 2023
@julio-lopez julio-lopez changed the title dependabot (gomod) upgrades _minor_ versions when it says it is upgrading _patch_ versions dependabot (gomod) upgrades minor_ versions when it says it is upgrading _patch_ versions Jul 21, 2023
@julio-lopez julio-lopez changed the title dependabot (gomod) upgrades minor_ versions when it says it is upgrading _patch_ versions dependabot (gomod) upgrades "minor" versions when it says it is upgrading "patch" versions Jul 21, 2023
@julio-lopez
Copy link
Author

Update: there was a little bit of user error here. (My bad)

It turns out our dependabot config had a typo. See kanisterio/kanister#2218

Nevertheless, the resulting behavior was confusing, misleading and probably undesirable.

After fixing that, dependabot opened a PR that matches the expected behavior. See kanisterio/kanister#2220

Thanks folks for dependabot, and for continuing improving it, it is extremely valuable to developers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@julio-lopez