Undo ignore this dependency

[glensc]

I've blocked updating a dependency with @dependabot ignore this dependency:

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

dependabot responded:

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

OK, I won't notify you about requests-cache again, unless you re-open this PR or update it yourself. 😢

but I can't reopen the pr, because it's already merged:

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

and I've definitely updated the dependency myself after that (which I created manually as dependabot didn't update):

• Update requests cache to 0.9.7 Taxel/PlexTraktSync#1222

there's 0.9.8 out now:

• https://github.com/requests-cache/requests-cache/releases/tag/v0.9.8

but version still at 0.9.7 and no dependabot update pull request:

• https://github.com/Taxel/PlexTraktSync/blob/a81ed7797ab9015569442340af4ce36540a006ab/requirements.txt#L30

how to rectify the problem, I want dependabot start updating that dependency again :)

[deivid-rodriguez]

This seems like a bug. There's also other person that reported the same thing here: #1384. Apparently the "or update it yourself" part is not really working :(

[glensc]

can we have new command @dependabot stop ignoring me @dependabot stop ignoring this dependency? :)

[deivid-rodriguez]

I checked and we no longer have the feature to automatically unignore dependencies when manually updated independently. I guess it was a feature of the old Dependabot that was not native to GitHub, and it got lost in the migration. We realized about this some time ago and at least we should no longer be creating false expectations with the "or update it yourself" part since Dependabot no longer comments about that, just says "Reopen the PR".

That feature is hard to get right anyways, since I imagine cases where someone manually updates an ignored dependency and may not want it to be unignored.

An explicit comment would be the way to go, I agree.

[glensc]

a side note: you can't reopen merged pr, so the second suggestion will not work either all the time.

[glensc]

@deivid-rodriguez are there any workarounds to try until the new command is implemented and deployed?

[deivid-rodriguez]

Something you can try is to explicit ignore the dependency through configuration, commit that to your main branch, and then remove it again. Not sure if it will work, but it sounds like it should.

[nikosmoum]

TL;DR: I don't want to keep track a list of PRs of depencencies I marked as ignored, and manually un-ignore one by one. It should be either a) automatic (manual update of the dep un-ignores it), or b) provide a centralized place to list my ignored deps, and a way to easily choose which to un-ignore en-masse.

I don't believe the explicit comment solution (e.g. @dependabot unignore..) is good enough. It is very unintuitive since you have to either keep track the PRs you mark as ignored, or search for each PR you marked as ignored later, to go back and manually re-open it. I just found this bug existed, so had to spend a significant amount of time going through the dependabot update check logs to find 22 ignored dependencies and search for all their old PRs, re-open them, rebase for conflicts, etc. one by one.

The original way the feature was implemented is ideal (when manually updated, the dependency gets un-ignored). If the only problem there is the case where someone manually updated a dependency they ignored in the past and want to keep it ignored, then they can do so in dependabot.yml. So the config file will always have precedence over PR comment commands.

If for whatever reason that is not possible to be implemented (which I doubt), then there are plenty of ways of providing a centralized place to easily list all your ignored dependencies, and choose which ones you want to unignore. It could be:

• In a UI tab under "Insights > Dependency Graph", next to the 'dependabot' tab. checkbox next to each ignored dependency, so I can choose and then click 'un-ignore', or 'un-ignore all'.
• Similar , but in the form of a cli tool.

[ro0NL]

we've ignored php8 when running php7, now that we've updated to php8 we don't get any dependabot alerts still

that ignore should be invalidated automatically once updated IMHO, and is a rather annoying bug currently

[nikosmoum]

Any news on when this fix is planned for? We are currently stuck, because:

• Updating the version manually does not unignore it.
• We renamed our primary branch from master to main, so when trying to re-open old PRs to force the unignore that way, the dependabot reply is 'Dependabot tried to reopen this PR, but was told that the target branch has been deleted (and therefore that this PR couldn't be reopened).'

This means that right now there is no way to unignore any of the dependencies we had marked as ignored in the past.

[jeffwidman]

@ro0NL I think you're actually hitting:

• Switch Dependabot from running composer using php 7.4 to php 8.2 #6527

@nikosmoum yeah, for your case you're truly stuck, please file a support ticket and someone on the team can manually run an internal command to remove your ignores. I suggest including a link directly to this comment + direct links to the repos you want the the ignores rules removed from.

Basically the prioritization of this feature will depend on how painful it is for us because while we'd love to do it, there's a lot of other things we'd love to build out too... and it's unclear how often users are hitting this...

If you want this, be sure to 👍 the original comment on this issue as we use that as one signal of impact/value.

[glensc]

Can at least some support unignore my case manually?

• Bump requests-cache from 0.8.1 to 0.9.0 Taxel/PlexTraktSync#686 (comment)

[KrohnicDev]

I stumbled upon this issue when I was trying to unignore Spring Boot dependency. For me, reopening the old pull request did not work. Even after closing the PR as instructed, the dependency was still ignored.

However, I managed to get it working by commanding Dependabot to reopen it for me, which made it create a new pull request.

Hopefully this helps somebody.

[agilgur5]

Can this be labeled as a bug? It is near impossible / very tedious to remove a comment ignore right now (and fully impossible in certain cases), except for grouped dependencies (c.f. #8382). That is a blocker IMO, comment ignores just become permanent and unchangeable in many cases.

b) provide a centralized place to list my ignored deps, and a way to easily choose which to un-ignore en-masse.

Also agreed with this longer term. Even if comment unignores are properly supported, it is still very difficult to manage these as-is.

Related: It would be great if there were a setting in dependabot.yml to disallow things like comment ignores. dependabot.yml is supposed to be a central source of truth (as configuration-as-code / IaC), but actually doesn't quite work like that right now due to de-centralized overriding comments, which is unintuitive / confusing and also problematic from a security perspective (things outside of configuration are similar to "shadow IT", aptly "shadow configuration").
Alternatively (perhaps better), if a dependabot.yml exists, an overriding comment should instead create a PR to update the dependabot.yml, and not create some shadow configuration somewhere.

[htpaf]

Given that #7654 is an attempt at solving the general issue of being able to see what has been ignored, it still seems that there is an "internal feature flag" active.

The documentation at managing-dependabot-pull-requests-with-comment-commands and
specifying-dependencies-and-versions-to-ignore
does not explain the "un-ignore" part as far as I can see.

If one has used a "@ dependabot " ignore command (of some sort) in a PR comment, what is the current way of figuring out what ignores are active?

There is mention of looking in "logs", what logs are those? Are they under "Insights" -> "Dependency graph" -> "Dependabot" -> "Recent update jobs" for example?