Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting error 'security_update_dependency_not_found' on security update of v2 #1511

Open
SatheeshS-optym opened this issue Dec 10, 2024 · 1 comment
Open

Getting error 'security_update_dependency_not_found' on security update of v2 #1511

SatheeshS-optym opened this issue Dec 10, 2024 · 1 comment

Comments

@SatheeshS-optym
Copy link

I have recently run Dependabot to check for security updates and reported another related issue on #1490. My configuration specifies multiple directories for npm and pip package managers. During a recent build, Dependabot identified numexpr as a vulnerable security package but failed to locate the exact requirements.txt file path within the multiple directories, resulting in the error 'security_update_dependency_not_found'. However, it successfully created a PR when I specified a single directory containing the numexpr package. Please let me know if I should specify a single directory exclusively for security updates or if I can proceed with the following Dependabot configuration as it is.

Please find the attached detailed logs here,
5_Run Dependabot.txt

dependabot.yml

version: 2
updates:
  - package-ecosystem: "nuget"
    directories:
      - /Engine/
    labels:
      - "nuget"
      - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "nuget"
      prefix-development: "nuget"
      include: "scope-and-version"
      separator: "-"
    groups:
      nuget:
        patterns:
          - "*" 

  - package-ecosystem: "npm"
    directories:
      - /common/**/*
      - /Frontend/
      - /sdk/
      - /Shared/
    labels:
      - "npm"
      - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "npm"
      prefix-development: "npm"
      include: "scope-and-version"
      separator: "-"
    groups:
      npm:
        patterns:
          - "*"

  - package-ecosystem: "pip"
    directories:
      - /.azure/db-deploy-script
      - /Forecasting
      - /Utility/*
    labels:
      - "pip"
      - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "pip"
      prefix-development: "pip"
      include: "scope-and-version"
      separator: "-"
    groups:
      pip:
        patterns:
          - "*"
@rhyskoedijk
Copy link
Contributor

@SatheeshS-optym thanks for the report. My understanding is that multiple directories should work and your configuration appears to be sane. I'm not very familiar with python or pip but when I have some free time I will attempt to reproduce the issue using your config and see if I can find out what is going wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhyskoedijk @SatheeshS-optym