you need to take care of semantic versioning

[OskarStark]

Hi @greysteil

lets take this picture as base of the conversation:

I defined ^2.5 in my composer.json to allow the following versions:

2.5.1
...
2.99.99 etc.

I am totally fine by upgrading to 2.5.14 in my composer.lock but not by changing the constraint itself in composer.json.

Because from now on, I cannot run composer update on my local machine AND you change the constraint, because now the allowed versions does not contain 2.6, 2.7.... but they were allowed before 😢

So we are back on #161 😄

Cheers, Oskar

[greysteil]

Hey @OskarStark,

Thanks for reporting this - I totally rely on feedback like this to keep making Dependabot better.

I've just pushed this change that partly addresses the above - Dependabot will now keep the same digit length. In the case listed above, that would mean Dependabot wouldn't have updated your composer.json, just your composer.lock.

The change I've made doesn't stop Dependabot from updating your composer.json from ^2.5 to ^2.6, which I think is probably the behaviour you'd want anyway, except for if your repo is a library (in which case specifying it as such in the composer.json, or not committing the composer.lock, would trigger Dependabot's library behaviour and only update your composer.json if the new version was outside of your currently accepted range).

Make sense?

[OskarStark]

Hey @greysteil glad to hear that feedback from you 👍

ofc I will test it as soon as I can. And yes I want to upgrade from to 2.6 and 2.7 if ^2.5 is specified.
But I don't want to go to up to 3.x in this case ;-)

I will provide feedback here!

[greysteil]

Awesome. If you haven't merged the duff PR, and have made any changes to its target branch (normally master) since it was created, then commenting @dependabot rebase? on it should update the composer.json changes.

[OskarStark]

Hey @greysteil I closed the branches and me and/or dependabot closed some of these branches, so I could not reopen anymore :(

[greysteil]

Ah, OK. I've regenerated a few of those PRs for you with the new setup - let me know if that's any better!

[OskarStark]

I received a PR, but with the old (wrong) logic I guess:

[greysteil]

OK, I've updated our logic to not update the composer.json for PHP if the range is allowable, and will keep it that way unless I start hearing users asking for updates that look like the ones above. I've also kicked off another set of updates for the bad PRs on your repos - if you have any bad PRs that are open there just close them and Dependabot will re-generate them using the new logic the following morning.

Thanks for the feedback on this!