Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot ignores maven exclusions #9432

Open
1 task done
turing85 opened this issue Apr 4, 2024 · 5 comments
Open
1 task done

Dependabot ignores maven exclusions #9432

turing85 opened this issue Apr 4, 2024 · 5 comments
Labels
L: git:submodules Git submodules L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working

Comments

@turing85
Copy link

turing85 commented Apr 4, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

maven

Package manager version

maven 3.8.7

Language version

Java 17

Manifest location and content before the Dependabot update

https://github.com/quarkiverse/quarkus-artemis/blob/main/pom.xml
https://github.com/quarkiverse/quarkus-artemis/blob/main/build-parent/pom.xml
https://github.com/quarkiverse/quarkus-artemis/blob/main/integration-tests/camel-jms/pom.xml

dependabot.yml content

https://github.com/quarkiverse/quarkus-artemis/blob/main/.github/dependabot.yml

Lines of relevance:

Updated dependency

io.quarkus:quarkus-bom:

What you expected to see, versus what you actually saw

Expected:

The pull requests above should not have been opened.

Actual:

The pull requests were opened.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

See above.

Smallest manifest that reproduces the issue

No response

Additional information

@lkreimann
Copy link

We have the same issue with JavaScript dependencies in some of our repositories. Unfortunately they are private repositories, so I can't give a lot of details to reproduce this issue.

@turing85
Copy link
Author

It seems that dependabot is aware of the ignore condition, but did not apply it: quarkiverse/quarkus-artemis#481 (comment)

@turing85
Copy link
Author

I dug through the logs of dependabot. The logs say that "All updates for io.quarkus:quarkus-bom were ignored". But, for example, for io.quarkus:quarkus-maven-plugin (which shares its version with io.quarkus:quarkus-bom), the logs do not show such a message. This seems to be the root cause why those dependencies get updated.

@turing85
Copy link
Author

For anyone having the issue: we were able to work around this with this MR: quarkiverse/quarkus-artemis#484. The important part is that we ignore io.quarkus:* instead of only ignoring io.quarkus:quarkus-bom.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
L: git:submodules Git submodules L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working
Projects
Status: No status
Development

No branches or pull requests

2 participants