Undo ignore this dependency

[glensc]

I've blocked updating a dependency with @dependabot ignore this dependency:

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

dependabot responded:

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

OK, I won't notify you about requests-cache again, unless you re-open this PR or update it yourself. 😢

but I can't reopen the pr, because it's already merged:

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

and I've definitely updated the dependency myself after that (which I created manually as dependabot didn't update):

• Update requests cache to 0.9.7 Taxel/PlexTraktSync#1222

there's 0.9.8 out now:

• https://github.com/requests-cache/requests-cache/releases/tag/v0.9.8

but version still at 0.9.7 and no dependabot update pull request:

• https://github.com/Taxel/PlexTraktSync/blob/a81ed7797ab9015569442340af4ce36540a006ab/requirements.txt#L30

how to rectify the problem, I want dependabot start updating that dependency again :)

[deivid-rodriguez]

This seems like a bug. There's also other person that reported the same thing here: #1384. Apparently the "or update it yourself" part is not really working :(

[glensc]

can we have new command @dependabot stop ignoring me @dependabot stop ignoring this dependency? :)

[deivid-rodriguez]

I checked and we no longer have the feature to automatically unignore dependencies when manually updated independently. I guess it was a feature of the old Dependabot that was not native to GitHub, and it got lost in the migration. We realized about this some time ago and at least we should no longer be creating false expectations with the "or update it yourself" part since Dependabot no longer comments about that, just says "Reopen the PR".

That feature is hard to get right anyways, since I imagine cases where someone manually updates an ignored dependency and may not want it to be unignored.

An explicit comment would be the way to go, I agree.

[glensc]

a side note: you can't reopen merged pr, so the second suggestion will not work either all the time.

[glensc]

@deivid-rodriguez are there any workarounds to try until the new command is implemented and deployed?

[deivid-rodriguez]

Something you can try is to explicit ignore the dependency through configuration, commit that to your main branch, and then remove it again. Not sure if it will work, but it sounds like it should.

[nikosmoum]

TL;DR: I don't want to keep track a list of PRs of depencencies I marked as ignored, and manually un-ignore one by one. It should be either a) automatic (manual update of the dep un-ignores it), or b) provide a centralized place to list my ignored deps, and a way to easily choose which to un-ignore en-masse.

I don't believe the explicit comment solution (e.g. @dependabot unignore..) is good enough. It is very unintuitive since you have to either keep track the PRs you mark as ignored, or search for each PR you marked as ignored later, to go back and manually re-open it. I just found this bug existed, so had to spend a significant amount of time going through the dependabot update check logs to find 22 ignored dependencies and search for all their old PRs, re-open them, rebase for conflicts, etc. one by one.

The original way the feature was implemented is ideal (when manually updated, the dependency gets un-ignored). If the only problem there is the case where someone manually updated a dependency they ignored in the past and want to keep it ignored, then they can do so in dependabot.yml. So the config file will always have precedence over PR comment commands.

If for whatever reason that is not possible to be implemented (which I doubt), then there are plenty of ways of providing a centralized place to easily list all your ignored dependencies, and choose which ones you want to unignore. It could be:

• In a UI tab under "Insights > Dependency Graph", next to the 'dependabot' tab. checkbox next to each ignored dependency, so I can choose and then click 'un-ignore', or 'un-ignore all'.
• Similar , but in the form of a cli tool.

[shleeable]

This issue is a major annoyance. I might need to install depfu or something to handle this on top of depenabot.

Please give us a way to remove all ignores... or at least view all of the ignores, and remove them one by one.

[ro0NL]

we've ignored php8 when running php7, now that we've updated to php8 we don't get any dependabot alerts still

that ignore should be invalidated automatically once updated IMHO, and is a rather annoying bug currently