Grouped dependencies - Old PR not closing when new PR added by dependabot

[planetf1]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

gradle

Package manager version

8.0.2

Language version

Java 17

Manifest location and content before the Dependabot update

https://github.com/odpi/egeria/blob/main/bom/build.gradle

dependabot.yml content

https://github.com/odpi/egeria/blob/main/.github/dependabot.yml

Updated dependency

Handling several groups

  groups:
    spring:
      patterns:
        - "*spring*"
        - "*tomcat*"
    janusgraph:
      patterns:
        - "*janus*"
        - "*gremlin*"
        - "*elasticsearch*"
        - "*lucene*"
    slf4j:
      patterns:
        - "*slf4j*"
    jackson:
      patterns:
        - "com.fasterxml.*"

What you expected to see, versus what you actually saw

When new updates were available within a dependency group, or the dependency group definition was changed, a new PR should be opened, and the old one closed (or the original updated)

What actually happened is I ended up with multiple PRs for each group

I suspect it was editing of the dependabot.xml that resulted in this behaviour, as I would have added additional wildcards to the group as I started experimenting

(Will close manually)

Native package manager behavior

n/a

Images of the diff or a link to the PR, issue, or logs

➜  egeria git:(dependabotgrp1) gh pr list | grep prototype
7674	Bump the jackson group with 2 updates	dependabot/gradle/jackson/prototype-1683827379	OPEN	2023-05-11 17:49:41 +0000 UTC
7673	Bump the spring group with 17 updates	dependabot/gradle/spring/prototype-1683827337	OPEN	2023-05-11 17:48:59 +0000 UTC
7667	Bump the janusgraph group with 16 updates	dependabot/gradle/janusgraph/prototype-1683825802	OPEN	2023-05-11 17:23:24 +0000 UTC
7666	Bump the jackson group with 2 updates	dependabot/gradle/jackson/prototype-1683825609	OPEN	2023-05-11 17:20:11 +0000 UTC
7665	Bump the spring group with 17 updates	dependabot/gradle/spring/prototype-1683825567	OPEN	2023-05-11 17:19:29 +0000 UTC

Smallest manifest that reproduces the issue

No response

[planetf1]

I also noticed that some older normal dependabot PRs were left open. These target a single dependency which I'd have expected to have been superceeded by the defined patterns ie:

➜  egeria git:(dependabotgrp1) gh pr list | grep spring
7673	Bump the spring group with 17 updates	dependabot/gradle/spring/prototype-1683827337	OPEN	2023-05-11 17:48:59 +0000 UTC
7642	Bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.0.4 to 2.1.0	dependabot/gradle/org.springdoc-springdoc-openapi-starter-webmvc-ui-2.1.0	OPEN	2023-05-01 04:12:36 +0000 UTC
7641	Bump org.springframework.boot from 2.7.10 to 2.7.11	dependabot/gradle/org.springframework.boot-2.7.11	OPEN	2023-05-01 04:09:51 +0000 UTC
7638	Bump springbootVersion from 3.0.5 to 3.0.6	dependabot/gradle/springbootVersion-3.0.6	OPEN	2023-05-01 04:06:04 +0000 UTC
7633	Bump springsecurityVersion from 6.0.2 to 6.0.3	dependabot/gradle/springsecurityVersion-6.0.3	OPEN	2023-05-01 03:58:34 +0000 UTC

[edmorley]

I also noticed that some older normal dependabot PRs were left open

We encountered this too.

For example, groups were enabled in heroku/buildpacks-go#114, which resulted in a new grouped PR being opened (heroku/buildpacks-go#116), however the old PRs for those deps weren't closed:
heroku/buildpacks-go#108
heroku/buildpacks-go#109

[edmorley]

Plus when I manually closed the old redundant ungrouped PRs, I got the "ignoring this dependency version" message which is not what I wanted (I expected Dependabot to realise the PR had been replaced instead).

[teor2345]

We encountered this both ways, with:

Error group didn't close single PR, but was closed when it merged:
ZcashFoundation/zebra#7185 (group, closed when non-group PR merged)
ZcashFoundation/zebra#7174 (single, should have been closed by group PR, merged instead)

serde group closed single PR:
ZcashFoundation/zebra#7184 (group PR)
ZcashFoundation/zebra#7173 (single PR closed by group PR)

[abdulapopoola]

Hi @edmorley ; please is this resolved? Or are you still running into issues?

[edmorley]

@abdulapopoola I'm still seeing some cases of old PRs not being closed - I've filed a new issue with more details (since I wasn't the OP in this issue, so I don't want to hijack this thread): #8162

[jakecoffman]

I just shipped a fix for this. Going forward Dependabot will close older PRs if the dependencies in them are a subset of the new PR's updated dependencies.

Thanks for all the reports!