PR not opened when using Cargo workspace dependencies #7896
Comments
|
@edmorley I've not been able to dig into why this update was not possible specifically, but I did verify if it was related to grouped updates, and it seems like it's not, meaning that we also don't see an update without grouping enabled on this reproduction. There are various reasons why that could happen, and this one may or may not be valid, but that'll require more investigation. |
|
Ah thank you. The reason why I thought this was related to grouped updates, was that we have successfully had updates to the repo root Cargo.toml from Dependabot prior to us enabling grouping (eg heroku/buildpacks-jvm#407), and so had thought it might be due to the grouping. But maybe it's some other regression? |
|
Could it be related to something like conflicting transitive dependencies that differ between those projects? That would be my first guess |
|
I have the same problem with cargo's root workspace dependencies. |
|
It seems like dependabot starts to update such dependencies. Could you check it out?
|
I noticed some cargo dependencies aren't caught by the dependabot. For example, there are gix updates, but the dependabot somehow thinks it's not possible to update. ``` updater | 2023/12/14 15:57:52 INFO <job_762380319> Checking if gix 0.55.2 needs updating proxy | 2023/12/14 15:57:52 [063] GET https://crates.io:443/api/v1/crates/gix proxy | 2023/12/14 15:57:52 [063] 200 https://crates.io:443/api/v1/crates/gix updater | 2023/12/14 15:57:53 INFO <job_762380319> Latest version is 0.56.0 ... updater | 2023/12/14 15:58:00 INFO <job_762380319> Requirements to unlock update_not_possible updater | 2023/12/14 15:58:00 INFO <job_762380319> Requirements update strategy bump_versions updater | 2023/12/14 15:58:00 INFO <job_762380319> No update possible for gix 0.55.2 ``` I don't know what's wrong, but let's try without the grouped updates as it was working before. FWIW, this issue looks similar: dependabot/dependabot-core#7896
I noticed some cargo dependencies aren't caught by the dependabot. For example, there are gix updates, but the dependabot somehow thinks it's not possible to update. ``` updater | 2023/12/14 15:57:52 INFO <job_762380319> Checking if gix 0.55.2 needs updating proxy | 2023/12/14 15:57:52 [063] GET https://crates.io:443/api/v1/crates/gix proxy | 2023/12/14 15:57:52 [063] 200 https://crates.io:443/api/v1/crates/gix updater | 2023/12/14 15:57:53 INFO <job_762380319> Latest version is 0.56.0 ... updater | 2023/12/14 15:58:00 INFO <job_762380319> Requirements to unlock update_not_possible updater | 2023/12/14 15:58:00 INFO <job_762380319> Requirements update strategy bump_versions updater | 2023/12/14 15:58:00 INFO <job_762380319> No update possible for gix 0.55.2 ``` I don't know what's wrong, but let's try without the grouped updates as it was working before. FWIW, this issue looks similar: dependabot/dependabot-core#7896
edmorley
changed the title
github-actions
bot
added
L: git:submodules
|
I've been able to confirm that this doesn't seem related to the grouping feature, but instead it seems that Dependabot just doesn't work well with the Cargo workspace dependencies feature. I've updated the issue title accordingly. |
|
The bot just added a bunch of irrelevant GitHub issue tags - could someone remove them? |
|
Is a PR not opened at all, or it's just not correct? Put another way, is there any indication a dependency needs to be updated? We plan on using workspace dependencies for a large mono repo as we do with all our other languages' mono repos for centralized management. |
|
@heaths I'm not sure about the issue that @edmorley reported, but I came here to report a similar issue with workspaces - we see Dependabot opening some PRs, but they do not have any actual updates in them. There are also far fewer PRs than are actually needed to update the dependencies.
|
Is there an existing issue for this?
Package ecosystem
Cargo
Package manager version
1.71.1
Language version
1.71.1
Manifest location and content before the Dependabot update
https://github.com/edmorley/testcase-dependabot-cargo-workspace-not-updated/blob/main/Cargo.toml
https://github.com/edmorley/testcase-dependabot-cargo-workspace-not-updated/blob/main/example-crate-one/Cargo.toml
https://github.com/edmorley/testcase-dependabot-cargo-workspace-not-updated/blob/main/example-crate-two/Cargo.toml
dependabot.yml content
https://github.com/edmorley/testcase-dependabot-cargo-workspace-not-updated/blob/main/.github/dependabot.yml
Updated dependency
No response
What you expected to see, versus what you actually saw
I expected Dependabot to open a PR updating the Rust crates
libcnb,libcnb-testandlibherokubuildpackfrom 0.13.0 to the latest version 0.14.0, since newer versions exist. This PR should edit the rootCargo.toml, since that's where those "workspace defined dependencies" exist.Note: Dependabot successfully updates these dependencies on some of our other repos (for example heroku/buildpacks-ruby#192). These other repos were also using grouped Dependabot, however, those other repos aren't using the "dependencies defined in workspace root" feature of Cargo workspaces - so I presume that must be the difference? Dependabot does support Cargo workspaces in general though thanks to #5794 (we've had PRs for single/ungrouped dependencies before).
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Dependabot logs:
https://github.com/edmorley/testcase-dependabot-cargo-workspace-not-updated/network/updates/713389708
In particular, it seems Dependabot finds the updated crates:
But then decides afterwards it cannot update to it here?
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: