Comments (7)
greysteil
commented on May 22, 2024
Hey @OskarStark,
Thanks for reporting this - I totally rely on feedback like this to keep making Dependabot better.
I've just pushed this change that partly addresses the above - Dependabot will now keep the same digit length. In the case listed above, that would mean Dependabot wouldn't have updated your composer.json, just your composer.lock.
The change I've made doesn't stop Dependabot from updating your composer.json from ^2.5 to ^2.6, which I think is probably the behaviour you'd want anyway, except for if your repo is a library (in which case specifying it as such in the composer.json, or not committing the composer.lock, would trigger Dependabot's library behaviour and only update your composer.json if the new version was outside of your currently accepted range).
Make sense?
from dependabot-core.
OskarStark
commented on May 22, 2024
Hey @greysteil glad to hear that feedback from you 👍
ofc I will test it as soon as I can. And yes I want to upgrade from to 2.6 and 2.7 if ^2.5 is specified.
But I don't want to go to up to 3.x in this case ;-)
I will provide feedback here!
from dependabot-core.
greysteil
commented on May 22, 2024
Awesome. If you haven't merged the duff PR, and have made any changes to its target branch (normally master) since it was created, then commenting @dependabot rebase? on it should update the composer.json changes.
from dependabot-core.
OskarStark
commented on May 22, 2024
Hey @greysteil I closed the branches and me and/or dependabot closed some of these branches, so I could not reopen anymore :(
from dependabot-core.
greysteil
commented on May 22, 2024
Ah, OK. I've regenerated a few of those PRs for you with the new setup - let me know if that's any better!
from dependabot-core.
OskarStark
commented on May 22, 2024
I received a PR, but with the old (wrong) logic I guess:
from dependabot-core.
greysteil
commented on May 22, 2024
OK, I've updated our logic to not update the composer.json for PHP if the range is allowable, and will keep it that way unless I start hearing users asking for updates that look like the ones above. I've also kicked off another set of updates for the bad PRs on your repos - if you have any bad PRs that are open there just close them and Dependabot will re-generate them using the new logic the following morning.
Thanks for the feedback on this!
from dependabot-core.
Related Issues (20)
- Github Graphql returns none for author if dependabot PR
- NuGet version update with version number having 4 segments fail
- Updating Terrafrom version for tfenv
- Dependabot tries to update more dependencies than declared
- @dependabot ignore X patch version only works in group PR
- Multi-directory support bug with go, terraform, docker HOT 4
- Multi-directory PR creation with Terraform HOT 1
- Ant/Ivy Support
- Unable to rebase with dependency "next"
- Dependabot keeps sending in separate PR's instead of grouping them
- NuGet update with packages.config doesn't consider targets files
- Add update types for Cargo-style (in)compatible version upgrades
- pnpm9: version is incompatible with "/home/dependabot/dependabot-updater/repo". HOT 2
- Dependabot gets confused over a directory name HOT 1
- PNPM lockfileVersion reverted back from 9.0 to 6.0 HOT 11
- semver based ignoring / grouping doesn't work without package-lock.json HOT 2
- GitHub Actions update with PR closed by dependabot for different version update ignored due to "Pull request already exists for actions/setup-node with latest version 4"
- Duplicate PR for update in subdirectory
- NuGet updater should try to fix `NU1605` package downgrade errors
- Respect MSBuild property DirectoryPackagesPropsPath that overrides directory.packages.props name and location
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.