Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change to default behaviors around Grouping and modifying pinned versions with Bundler/Gemfile #11650

Open
1 task done
woodardj opened this issue Feb 20, 2025 · 0 comments
Open
1 task done

Change to default behaviors around Grouping and modifying pinned versions with Bundler/Gemfile #11650

woodardj opened this issue Feb 20, 2025 · 0 comments
Labels
L: go:modules Golang modules L: javascript L: ruby:bundler RubyGems via bundler T: bug 🐞 Something isn't working

Comments

@woodardj
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

bundler

Package manager version

bundler 2.5.22

Language version

ruby 3.3

Manifest location and content before the Dependabot update

/Gemfile

dependabot.yml content

version: 2
updates:

  • package-ecosystem: "bundler" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
    interval: "daily"

Updated dependency

Build(deps): Bump activerecord-postgis-adapter, rails, font-awesome-rails, view_component, net-http, slack-ruby-client and standard
The above was created after I asked dependabot for a rebase of a font-awesome-rails PR, a view_component PR, and an activerecord-postgis-adapter PR

Build(deps): Bump psych from 4.0.6 to 5.2.3

What you expected to see, versus what you actually saw

The documentation suggests that "non grouped" (individual dependencies) is the default behavior, but after rebasing several open updates, Dependabot closed them in favor of a grouped one. I have no "group" directives set in my yaml or repo settings.

Additionally, this grouped update PR has made changes to the major, pinned, version of rails in Gemfile (I have one other Dependabot PR that has also modified the pinned Major in Gemfile).

If this is two issues (grouping with no grouping directives + modifying pinned versions), I'm happy to refile.

Native package manager behavior

In the past, I've always expected Dependabot PRs to only modify Gemfile.lock within the bounds I've explicitly set in Gemfile.

If the dependabot "dependency management" feature is going to make a note of updates beyond my pinned version, I would expect it to behave like the dependabot vuln system that offers a list of alerts for me to triage manually, instead of opening PRs that might blow up my app if merged by accident.

Images of the diff or a link to the PR, issue, or logs

Image Image

Smallest manifest that reproduces the issue

No response
@woodardj woodardj added the T: bug 🐞 Something isn't working label Feb 20, 2025
@github-actions github-actions bot added L: go:modules Golang modules L: javascript L: ruby:bundler RubyGems via bundler labels Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: go:modules Golang modules L: javascript L: ruby:bundler RubyGems via bundler T: bug 🐞 Something isn't working
Projects
Dependabot
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woodardj