Dependabot opened a PR to update one dependency, but also downgraded another dependency.

[3choBoomer]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

go

Package manager version

No response

Language version

1.18

Manifest location and content before the Dependabot update

module github.com/shipt/captain-hook/v11

go 1.18

require (
	github.com/aws/aws-sdk-go v1.44.14
	github.com/dnaeon/go-vcr v1.2.0
	github.com/go-playground/validator v9.31.0+incompatible
	github.com/go-test/deep v1.0.8
	github.com/goccy/go-yaml v1.9.5
	github.com/google/go-github/v25 v25.1.3
	github.com/oklog/run v1.1.0
	github.com/okta/okta-sdk-golang v1.0.1
	github.com/pkg/errors v0.9.1
	github.com/samber/lo v1.27.0
	github.com/segmentio/ksuid v1.0.4
	github.com/shipt/bubinga v1.2.0
	github.com/shipt/infraspec-api-go/v6 v6.24.10
	github.com/shipt/kafka v0.23.1
	github.com/shipt/pipeline-manager v0.53.8
	github.com/shipt/tempest v1.10.6
	github.com/spf13/cobra v1.4.0
	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
	gopkg.in/yaml.v2 v2.4.0
)

require (
	github.com/Shopify/sarama v1.34.1 // indirect
	github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b // indirect
	github.com/beorn7/perks v1.0.1 // indirect
	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
	github.com/cespare/xxhash/v2 v2.1.2 // indirect
	github.com/creasty/defaults v1.6.0 // indirect
	github.com/davecgh/go-spew v1.1.1 // indirect
	github.com/eapache/go-resiliency v1.2.0 // indirect
	github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect
	github.com/eapache/queue v1.1.0 // indirect
	github.com/envoyproxy/protoc-gen-validate v0.6.7 // indirect
	github.com/fatih/color v1.13.0 // indirect
	github.com/fsnotify/fsnotify v1.5.4 // indirect
	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
	github.com/go-logr/logr v1.2.3 // indirect
	github.com/go-logr/stdr v1.2.2 // indirect
	github.com/go-playground/locales v0.14.0 // indirect
	github.com/go-playground/universal-translator v0.18.0 // indirect
	github.com/go-yaml/yaml v2.1.0+incompatible // indirect
	github.com/golang/protobuf v1.5.2 // indirect
	github.com/golang/snappy v0.0.4 // indirect
	github.com/google/go-querystring v1.1.0 // indirect
	github.com/google/uuid v1.3.0 // indirect
	github.com/gorilla/mux v1.8.0 // indirect
	github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.1 // indirect
	github.com/hashicorp/errwrap v1.1.0 // indirect
	github.com/hashicorp/go-multierror v1.1.1 // indirect
	github.com/hashicorp/go-uuid v1.0.3 // indirect
	github.com/hashicorp/golang-lru v0.5.4 // indirect
	github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
	github.com/iancoleman/orderedmap v0.2.0 // indirect
	github.com/inconshreveable/mousetrap v1.0.0 // indirect
	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
	github.com/jcmturner/gofork v1.0.0 // indirect
	github.com/jcmturner/gokrb5/v8 v8.4.2 // indirect
	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
	github.com/jmespath/go-jmespath v0.4.0 // indirect
	github.com/kelseyhightower/envconfig v1.4.0 // indirect
	github.com/klauspost/compress v1.15.6 // indirect
	github.com/leodido/go-urn v1.2.1 // indirect
	github.com/magiconair/properties v1.8.6 // indirect
	github.com/mattn/go-colorable v0.1.12 // indirect
	github.com/mattn/go-isatty v0.0.14 // indirect
	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
	github.com/mitchellh/mapstructure v1.5.0 // indirect
	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
	github.com/pelletier/go-toml v1.9.5 // indirect
	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
	github.com/pierrec/lz4/v4 v4.1.14 // indirect
	github.com/pquerna/ffjson v0.0.0-20190930134022-aa0246cd15f7 // indirect
	github.com/prometheus/client_golang v1.12.2 // indirect
	github.com/prometheus/client_model v0.2.0 // indirect
	github.com/prometheus/common v0.34.0 // indirect
	github.com/prometheus/procfs v0.7.3 // indirect
	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
	github.com/satori/go.uuid v1.2.1-0.20180404165556-75cca531ea76 // indirect
	github.com/spf13/afero v1.8.2 // indirect
	github.com/spf13/cast v1.5.0 // indirect
	github.com/spf13/jwalterweatherman v1.1.0 // indirect
	github.com/spf13/pflag v1.0.5 // indirect
	github.com/spf13/viper v1.11.0 // indirect
	github.com/subosito/gotenv v1.2.0 // indirect
	go.opentelemetry.io/otel v1.7.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0 // indirect
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.7.0 // indirect
	go.opentelemetry.io/otel/sdk v1.7.0 // indirect
	go.opentelemetry.io/otel/trace v1.7.0 // indirect
	go.opentelemetry.io/proto/otlp v0.16.0 // indirect
	golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 // indirect
	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
	golang.org/x/sys v0.0.0-20220519141025-dcacdad47464 // indirect
	golang.org/x/text v0.3.7 // indirect
	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
	google.golang.org/appengine v1.6.7 // indirect
	google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
	google.golang.org/grpc v1.46.2 // indirect
	google.golang.org/protobuf v1.28.0 // indirect
	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
	gopkg.in/ini.v1 v1.66.4 // indirect
	gopkg.in/yaml.v3 v3.0.1 // indirect
)

replace (
	go.opentelemetry.io/otel/exporters/otlp/otlptrace => go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.2.0
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp => go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.2.0
)

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "gomod" 
    directory: "/" 
    schedule:
      interval: "daily"
    allow:
      - dependency-name: "*/shipt/*"
    reviewers:
      - "shipt/devops"
      - "shipt/delivery"

Updated dependency

github.com/shipt/tempest v1.10.6 -> github.com/shipt/tempest v1.10.7

What you expected to see, versus what you actually saw

This PR, named Bump github.com/shipt/tempest from 1.10.6 to 1.10.7 not only bumped Tempest, but it downgraded github.com/shipt/pipeline-manager from v0.53.8 to v0.24.1

expected:

...
        github.com/shipt/kafka v0.23.1
	github.com/shipt/pipeline-manager v0.53.8
	github.com/shipt/tempest v1.10.7
	github.com/spf13/cobra v1.4.0
...

got:

...
        github.com/shipt/kafka v0.23.1
	github.com/shipt/pipeline-manager v0.24.1
	github.com/shipt/tempest v1.10.7
	github.com/spf13/cobra v1.4.0
...

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Smallest manifest that reproduces the issue

No response

[jeffwidman]

Is this the same as #4536?

Can you try to reproduce it locally using the instruction here? #4536 (comment)

I'd love to see this one fixed, it was super annoying at my last job before I joined the Dependabot team, but the number of users impacted is relatively low so just haven't gotten to it yet.

[3choBoomer]

I got very similar results from both sets of commands. go 1.18 here.
First command:

go clean -modcache && \                                                                                                                                                                                                
GOPRIVATE=* go get -v -d github.com/shipt/tempest@v1.10.7 && \
GOPRIVATE=* go mod tidy - compat=1.18 && \
git diff go.mod

output (trimmed to relevant parts)

go: downloading github.com/shipt/pipeline-manager v0.39.11
go: downgraded github.com/shipt/pipeline-manager v0.53.8 => v0.39.11
go: upgraded github.com/shipt/tempest v1.10.5 => v1.10.7
go: 'go mod tidy' accepts no arguments
─    ~/code/captain-hook   @5dfc2dee *3 !2 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── INT ✘  system  ─╮
╰─ go mod tidy && git diff go.mod                                                                                                                                                                                          ─╯
go: downloading github.com/inconshreveable/mousetrap v1.0.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading gopkg.in/go-playground/assert.v1 v1.2.1
go: downloading github.com/stretchr/testify v1.7.1
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/thoas/go-funk v0.9.1
go: downloading github.com/sirupsen/logrus v1.8.1
go: downloading github.com/Shopify/toxiproxy/v2 v2.4.0
go: downloading github.com/google/go-cmp v0.5.8
go: downloading github.com/jarcoal/httpmock v1.0.5
go: downloading go.uber.org/zap v1.17.0
go: downloading github.com/fortytw2/leaktest v1.3.0
go: downloading github.com/jcmturner/goidentity/v6 v6.0.1
go: downloading github.com/pelletier/go-toml/v2 v2.0.1
go: downloading github.com/frankban/quicktest v1.14.3
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: downloading github.com/golang/glog v1.0.0
go: downloading github.com/kr/pretty v0.3.0
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading go.uber.org/multierr v1.6.0
go: downloading go.uber.org/atomic v1.7.0
go: downloading github.com/rogpeppe/go-internal v1.6.1
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/Shopify/toxiproxy v2.1.4+incompatible

diff --git a/go.mod b/go.mod
index 71d572a..d9f0e43 100644
--- a/go.mod
+++ b/go.mod
@@ -17,8 +17,8 @@ require (
        github.com/shipt/bubinga v1.2.0
        github.com/shipt/infraspec-api-go/v6 v6.24.10
        github.com/shipt/kafka v0.23.1
-       github.com/shipt/pipeline-manager v0.53.8
-       github.com/shipt/tempest v1.10.6
+       github.com/shipt/pipeline-manager v0.39.11
+       github.com/shipt/tempest v1.10.7
        github.com/spf13/cobra v1.4.0
        golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
        gopkg.in/yaml.v2 v2.4.0
@@ -104,7 +104,6 @@ require (
        google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
        google.golang.org/grpc v1.46.2 // indirect
        google.golang.org/protobuf v1.28.0 // indirect
-       gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
        gopkg.in/ini.v1 v1.66.4 // indirect
        gopkg.in/yaml.v3 v3.0.1 // indirect
 )

Second set of commands:

 go clean -modcache && \                                                                                                                                                                                                 ─╯
GOPRIVATE=* go mod download && \
GOPRIVATE=* go get -v -d github.com/shipt/tempest@v1.10.7 && \
GOPRIVATE=* go mod tidy && \
git diff go.mod
...
go: downloading github.com/shipt/pipeline-manager v0.39.11
go: downgraded github.com/shipt/pipeline-manager v0.53.8 => v0.39.11
go: upgraded github.com/shipt/tempest v1.10.5 => v1.10.7
go: downloading github.com/stretchr/testify v1.7.1
go: downloading github.com/sirupsen/logrus v1.8.1
go: downloading go.uber.org/zap v1.17.0
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/thoas/go-funk v0.9.1
go: downloading github.com/google/go-cmp v0.5.8
go: downloading github.com/Shopify/toxiproxy/v2 v2.4.0
go: downloading github.com/fortytw2/leaktest v1.3.0
go: downloading github.com/jarcoal/httpmock v1.0.5
go: downloading github.com/frankban/quicktest v1.14.3
go: downloading github.com/jcmturner/goidentity/v6 v6.0.1
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: downloading github.com/golang/glog v1.0.0
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading github.com/Shopify/toxiproxy v2.1.4+incompatible
go: downloading go.uber.org/atomic v1.7.0
go: downloading go.uber.org/multierr v1.6.0
go: downloading github.com/kr/pretty v0.3.0
go: downloading github.com/rogpeppe/go-internal v1.6.1
go: downloading github.com/kr/text v0.2.0


diff --git a/go.mod b/go.mod
index 71d572a..d9f0e43 100644
--- a/go.mod
+++ b/go.mod
@@ -17,8 +17,8 @@ require (
        github.com/shipt/bubinga v1.2.0
        github.com/shipt/infraspec-api-go/v6 v6.24.10
        github.com/shipt/kafka v0.23.1
-       github.com/shipt/pipeline-manager v0.53.8
-       github.com/shipt/tempest v1.10.6
+       github.com/shipt/pipeline-manager v0.39.11
+       github.com/shipt/tempest v1.10.7
        github.com/spf13/cobra v1.4.0
        golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
        gopkg.in/yaml.v2 v2.4.0
@@ -104,7 +104,6 @@ require (
        google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
        google.golang.org/grpc v1.46.2 // indirect
        google.golang.org/protobuf v1.28.0 // indirect
-       gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
        gopkg.in/ini.v1 v1.66.4 // indirect
        gopkg.in/yaml.v3 v3.0.1 // indirect
 )
(END)

[bryan-aguilar]

I am seeing similar issues. PR for ref

[adamyeats]

Hey there! 👋 We are also seeing this issue on grafana/clickhouse-datasource#447, the github.com/ClickHouse/clickhouse-go/v2 dependency in go.mod gets downgraded to v2.3.0 where it shouldn't. I was not able to reproduce this locally by bumping the dependency manually and using go mod tidy.

[adamyeats]

Had another occurrence of this issue, this time when the github.com/ClickHouse/clickhouse-go/v2 dependency in go.mod is meant to be upgraded from v2.10.0 to v2.11.0, it instead gets downgraded to v2.3.0. grafana/clickhouse-datasource#463

[jakecoffman]

If I clone https://github.com/grafana/clickhouse-datasource and run go get github.com/ClickHouse/clickhouse-go/v2@v2.12.0 followed by go mod tidy it prints

go: finding module for package go.opentelemetry.io/otel/metric/instrument
go: finding module for package go.opentelemetry.io/otel/metric/global
github.com/grafana/clickhouse-datasource/pkg imports
	github.com/grafana/grafana-plugin-sdk-go/backend imports
	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc imports
	go.opentelemetry.io/otel/metric/global: module go.opentelemetry.io/otel/metric@latest found (v1.16.0), but does not contain package go.opentelemetry.io/otel/metric/global
github.com/grafana/clickhouse-datasource/pkg imports
	github.com/grafana/grafana-plugin-sdk-go/backend imports
	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc imports
	go.opentelemetry.io/otel/metric/instrument: module go.opentelemetry.io/otel/metric@latest found (v1.16.0), but does not contain package go.opentelemetry.io/otel/metric/instrument

So it seems the upgrade bumped the indirect dependency go.opentelemetry.io/otel/metric which puts the dependencies in an unsolvable state.

However, Dependabot also runs a bare go get, which fixes the broken state by downgrading clickhouse-go (probably using minimum version selection).

---

I suspect this is the source of all the downgraded dependencies. If anyone else wants to confirm by running the above steps on their repo that would help!