Poetry +1.2 is not updating group.dev.dependencies when using new group syntax vs dev-dependencies

[magame95]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip (poetry)

Package manager version

Poetry 1.2

Language version

Python 3.9

Manifest location and content before the Dependabot update

Location: /pyproject.toml
Content:

[tool.poetry]
name = "dependabot-poetry13"
version = "0.1.0"
description = ""
authors = ["magame95 <galavix.mendez@gmail.com>"]
readme = "README.md"
packages = [{include = "dependabot_poetry13"}]

[tool.poetry.dependencies]
python = "^3.9"
django = "^4.1.6"


[tool.poetry.group.dev.dependencies]
flake8 = "^5.0.4"
pre-commit = "^2.21.0"

[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

flake8 5.0.4 to 6.0.0
pre-commit 2.21.0 to 3.0.4

What you expected to see, versus what you actually saw

Expected:
Dependabot creates 2 PRs
Bump flake8 from 5.0.4 to 6.0.0
Bump pre-commit from 2.21.0 to 3.0.4

Resulted:
Dependabot determined that updated was not possible (from logs).

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

I created 2 test repos to demonstrate de difference between dependabot usage between poetry new group and old dev-dependencies syntax.
https://github.com/magame95/dependabot-poetry1.3
https://github.com/magame95/dependabot-poetry12 (Note how dependabot opened 2 PRs for the dependencies in question)

Also, if you see at the Insights for dev-dependencies, its displaying development dependencies under Dependencies defined in pyproject.toml in constrast to the group syntax repo Insights

new group.dev.dependencies syntax

old dev-dependencies syntax

Smallest manifest that reproduces the issue

No response

[deivid-rodriguez]

Hi @magame95!

The issue with missing PRs is indeed a problem with this library. I can reproduce it and I'm working on a fix.

The issue with the insights tab is also a problem, but it's not specific to the Dependabot update logic, but an issue with the Dependency Graph built by the Github.com site itself. I will make sure to pass the information along to the proper team, but you may want to open an issue about this at https://github.com/community/community/discussions/categories/code-security for better visibility.

[deivid-rodriguez]

#6673 should fix the issue with missing PRs!

[magame95]

@deivid-rodriguez Thank you for your swift response and work 😃! I just open a discussion relating the dependency graph issue as you suggested.

[magame95]

Hi! Notice #6673 got merge 👍 , I'm not familiar with how dependabot gets deployed, may I assume that the fix is already live?

[jeffwidman]

I just finished deploying it. Please kick the tires and you're still seeing issues please let us know.

[magame95]

Works like a charm now ❤️. I can confirm dependabot opens expected PRs for dependencies under poetry groups! Thanks!