Cannot un-ignore Dependabot ignore conditions

[chrjohn]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Other

Discussion Details

A long time ago a made a big mistake and ignored a dependency version: quickfix-j/quickfixj#509 (comment)
It was not until now that I realised that this will block any 2.2.x update (actually I wanted to ignore only that specific update to 2.2.1).

I tried to un-ignore via the PR but this did not work because the PR was over 2 years old and the branch has been deleted.

Then I tried to overrule this via dependabot config here https://github.com/quickfix-j/quickfixj/pull/1256/changes and here https://github.com/quickfix-j/quickfixj/pull/1257/changes but to no avail. The dependabot log still shows:

2026-06-11T14:48:11.0029510Z updater | 2026/06/11 14:48:11 INFO <job_1408401704> Checking if org.apache.mina:mina-core 2.2.7 needs updating
2026-06-11T14:48:11.0031760Z updater | 2026/06/11 14:48:11 INFO <job_1408401704> Ignored versions:
2026-06-11T14:48:11.0032694Z 2026/06/11 14:48:11 INFO <job_1408401704>   < 2.2.7 - from .github/dependabot.yml
2026-06-11T14:48:11.0033435Z 2026/06/11 14:48:11 INFO <job_1408401704>   >= 2.2.a, < 2.3 - from @dependabot ignore command
2026-06-11T14:48:11.0901211Z   proxy | 2026/06/11 14:48:11 [442] GET https://repo.maven.apache.org:443/maven2/org/apache/mina/mina-core/maven-metadata.xml
2026-06-11T14:48:11.1112114Z   proxy | 2026/06/11 14:48:11 [442] 200 https://repo.maven.apache.org:443/maven2/org/apache/mina/mina-core/maven-metadata.xml
2026-06-11T14:48:11.2160926Z   proxy | 2026/06/11 14:48:11 [444] GET https://repo.maven.apache.org:443/maven2/org/apache/mina/mina-core/
2026-06-11T14:48:11.2339330Z   proxy | 2026/06/11 14:48:11 [444] 200 https://repo.maven.apache.org:443/maven2/org/apache/mina/mina-core/
2026-06-11T14:48:11.2490685Z updater | 2026/06/11 14:48:11 INFO <job_1408401704> Filtered out 9 pre-release versions
2026-06-11T14:48:11.2720762Z updater | 2026/06/11 14:48:11 INFO <job_1408401704> All updates for org.apache.mina:mina-core were ignored

Shouldn't there be a config in the github settings or some other overrule switch somewhere? I couldn't find it.
Thanks in advance for any help.

[Lopesnextgen]

Hey Christoph,

This looks like a stored Dependabot ignore condition

The important line is this one:

• >= 2.2.a, < 2.3 - from @dependabot ignore command

That ignore does not live in .github/dependabot.yml. Dependabot stores ignores created from PR comments centrally for the repository.

So the config changes in your PRs probably cannot override it. Dependabot applies allow/normal update rules first, then filters ignored versions afterward. If a dependency version matches both an allowed rule and an ignored rule, the ignore wins.

In your log, Dependabot is seeing two ignores:

• < 2.2.7 - from .github/dependabot.yml
• >= 2.2.a, < 2.3 - from @dependabot ignore command

Together, those block the entire useful range, including 2.2.7.

What I would try

First, remove the temporary .github/dependabot.yml ignore once it is no longer needed. That clears the visible/config-file part.

The harder part is the stored @dependabot ignore rule.

Possible ways out:

• If the old PR can be restored, restore the deleted branch and reopen the PR using GitHub’s normal UI or gh pr reopen.
• If you have a grouped Dependabot PR, try @dependabot show org.apache.mina:mina-core ignore conditions, then @dependabot unignore org.apache.mina:mina-core.
• If unignore is not available because this was a non-grouped update, manually bump org.apache.mina:mina-core to the desired 2.2.x version and merge it.
• If the stored ignore still remains after that, contact GitHub Support and ask them to clear the repository-level Dependabot ignore condition for org.apache.mina:mina-core.

One wrinkle: @dependabot reopen itself was removed as a supported comment command in January 2026, so the current path is GitHub’s native reopen UI/API/CLI rather than the old Dependabot command.

I agree there should be a settings page

This is exactly the kind of case where a repository setting would help.

Something like:

• Dependabot → Ignored dependencies
• show ignores from .github/dependabot.yml
• show ignores created by PR comments
• show who created them and when
• allow maintainers/admins to remove them

Right now these comment-created ignores are easy to create and hard to discover later. Two years later, the log is basically the only clue.

So yes, I think your expectation is reasonable. There should be an overrule/management surface for this. The current behavior makes sense technically, but the recovery path is too hidden, especially when the original PR branch was deleted.

Useful docs:

• Dependabot ignore rules: https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated
• Dependabot options reference: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
• Dependabot PR comment commands: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-pull-request-comment-commands
• January 2026 command changes: https://github.blog/changelog/2026-01-27-changes-to-github-dependabot-pull-request-comment-commands/

[chrjohn]

Thanks @Lopesnextgen for the reply and the useful information.
I've already tried to bump to a newer version on the last MINA update (quickfix-j/quickfixj#1217) but it did not clear the ignore rule.
Will contact github support then... thanks again and cheers