Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jQuery should be upgraded to 3.5.1 #2805

Closed
valentijnscholten opened this issue Aug 27, 2020 · 3 comments
Closed

jQuery should be upgraded to 3.5.1 #2805

valentijnscholten opened this issue Aug 27, 2020 · 3 comments
Labels
bug Waiting on response

Comments

@valentijnscholten
Copy link
Member

jQuery is lagging behind a bit at 3.5.1 due to dependabot not offering 3.5.1 to us in a PR.
We skipped 3.5.0 in #2416
I have filed a bug report with dependabot, so let's wait a bit to see their response. I'd like to help them fix it. Or get educated on what we're missing :-)
The update is not urgent, so we can afford to wait. It would also help us to see it fixed and test it so we can start trusting depandabot again :-)
@valentijnscholten
Copy link
Member Author

This is what I sent to them:

HI,

We are using dependabot and it works fine most of the time. But currently we see what we believe to be a bug.

Earlier this year we got a PR from dependabot to update jquery rfom 3.4.1 to 3.5.0.

But jquery 3.5.0 had breaking changes, so we wanted to skip 3.5.0. So we used

@dependabot close

there was no suitable ignore option as we didn't want to ignore 3.x.x and didn't want to ignore 3.5.x and dependabot doesn't allow to ignore a specific patch version. so we just closed the PR.

However, now that jquery 3.5.1 is out for a while we should get a PR for that from dependabot. But we don't.
In the logs I can see that dependabot see 3.5.1 as latest version, but it seems to skip it because there is already a PR for 3.5.0?

updater | INFO <job_45257903> Starting job processing
updater | INFO <job_45257903> Starting update job for DefectDojo/django-DefectDojo
updater | INFO <job_45257903> Checking if jquery 3.4.1 needs updating
  proxy | 2020/08/27 18:41:01 [004] GET https://registry.npmjs.org:443/jquery
  proxy | 2020/08/27 18:41:01 [004] 200 https://registry.npmjs.org:443/jquery
  proxy | 2020/08/27 18:41:01 [006] GET https://registry.npmjs.org:443/jquery/3.5.1
  proxy | 2020/08/27 18:41:01 [006] 200 https://registry.npmjs.org:443/jquery/3.5.1
updater | INFO <job_45257903> Latest version is 3.5.1
  proxy | 2020/08/27 18:41:01 [008] GET https://registry.npmjs.org:443/jquery/3.5.0
updater | INFO <job_45257903> Requirements to unlock own
updater | INFO <job_45257903> Requirements update strategy bump_versions
updater | INFO <job_45257903> Pull request already exists for [email protected]

Two issues with that:
1) that PR is closed so it should create a new one
2) that PR is for 3.5.0 and we now have 3.5.1 available so even if there already is an existing (open or closed) PR it should create a new PR?

Or are we missing something?

Valentijn

Logs: https://app.dependabot.com/accounts/DefectDojo/update-logs/45257903
PR: https://github.com/DefectDojo/django-DefectDojo/pull/2416
Repo: https://github.com/DefectDojo/django-DefectDojo

@valentijnscholten
Copy link
Member Author

our config seems fine, nothing states to ignore anything jquery:

Applied config from .dependabot/config.yml:

---
update_configs:
- directory: "/components"
  package_manager: javascript
  target_branch: dev
  update_schedule: live
In addition, the following defaults have been applied:

---
allowed_updates:
- match:
    update_type: all
    dependency_type: direct
- match:
    update_type: security
    dependency_type: indirect
automerged_updates: []
default_assignees: []
default_labels:
- dependencies
- javascript
default_reviewers: []
ignored_updates:
- match:
    dependency_name: bootstrap
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: bootstrap-social
    version_requirement: ">= 5.a, < 6"
- match:
    dependency_name: bootswatch
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: chosen
    version_requirement: ">= 1.a, < 2"
- match:
    dependency_name: drmonty-datatables-responsive
    version_requirement: ">= 2.a, < 3"
- match:
    dependency_name: flot
    version_requirement: ">= 2.a, < 3"
- match:
    dependency_name: flot
    version_requirement: ">= 3.a, < 4"
- match:
    dependency_name: flot
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: fullcalendar
    version_requirement: ">= 5.a, < 6"
- match:
    dependency_name: startbootstrap-sb-admin-2
    version_requirement: ">= 3.a, < 4"
- match:
    dependency_name: startbootstrap-sb-admin-2
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: "@yarn_components/font-awesome"
    version_requirement: "!! 0d1f27efb836eb2ab994ba37221849ed64a73e5c"
version_requirement_updates: auto

@valentijnscholten valentijnscholten mentioned this issue Sep 1, 2020
Closed
@valentijnscholten
Copy link
Member Author

after some messing around dependabot is working again for jquery: #2829

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Waiting on response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@valentijnscholten