Dependabot updates major +incompatible versions for go modules

[mctofu]

Package ecosystem
go_modules

Package manager version
1.17

Updated dependency
github.com/twitchtv/twirp

What you expected to see, versus what you actually saw
Prior to #4434 Dependabot would not update github.com/twitchtv/twirp from 5.12.1+incompatible to the latest release v8.1.0+incompatible. The original code to find the latest version would always ignore major version upgrades.

With the switch to go list -m -versions to resolve versions the behavior has slightly changed. For dependencies that are go modules the command only returns versions within the specified major version so the prior behavior is preserved. However, for dependencies that aren't go modules, such as github.com/twitchtv/twirp, the command returns all versions so major version upgrades are allowed.

I think this is not actually a bug but wanted to document the change. For true go modules we currently avoid updating major versions because it would involve extra work to update source files to the new module path. However, this may be a feature we support in the future. For dependencies that aren't go modules Dependabot only needs to update the go.mod to the new major version which it currently does.

If this new behavior is not desired it's possible to define an ignore condition in dependabot.yml to avoid major version updates for affected dependencies: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#ignore

[jeffwidman]

However, this may be a feature we support in the future.

This may also eventually be supported in go upstream, which would make it much easier to extend support for within Dependabot. There's a few open tickets already in the go repo, although I don't have time to dig them up right now.

[jurre]

It'd be nice if we could rewrite the import paths for these cases at least, I think having to fix breaking changes in code is to be expected, but at least dependabot can take care of the busywork. I've had a PoC of that open for a while and I think it's doable. Against these latest changes that PR would be slimmed down a bunch.

I believe that not being able to update import paths has also been the reason we don't raise PRs for major versions in go, because it results in any PR that dependabot opens for a major version update to be broken by default, even if the breaking changes don't affect the repo in question.

someone can simply close the PR to ignore a particular version

This is tricky, because now they do miss updates to minor versions that they could pull in without questions. Also some of our users get annoyed by dependabot opening PRs they cannot act on.

[jeffwidman]

Closing this as no further action needed.

This new behavior has been working well enough with minimal user complaints.

And the go ecosystem has rapidly adopted modules, so the +incompatible modules are becoming more and more rare.