Specifying allow-conditions disallows all updates

[emahiq]

When configuring dependabot with an allow-section in dependabot.yml, all updates are disallowed, even those that match.

dependabot-pipeline.yml:

trigger: none

pool:
  vmImage: 'ubuntu-latest'

steps:
    - task: dependabot@1
      displayName: 'Run Dependabot'
      inputs:
        skipPullRequests: true

dependabot.yml

version: 2
updates:
  - package-ecosystem: nuget
    directory: '/'
    schedule:
      interval: daily
    allow:
      - dependency-name: Newtonsoft.Json

DependabotSandbox.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
    <PackageReference Include="Serilog" Version="2.11.0" />
  </ItemGroup>

</Project>

Both Newtonsoft.Json and Serilog have newer versions available. I am expecting Newtonsoft.Json to be updated, but not Serilog.

Log excerpt:

docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=nuget -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=5 -e DEPENDABOT_DIRECTORY=/ -e DEPENDABOT_ALLOW_CONDITIONS=[{"dependency-name":"Newtonsoft.Json"}] -e DEPENDABOT_FAIL_ON_EXCEPTION=true -e DEPENDABOT_SKIP_PULL_REQUESTS=true -e AZURE_ORGANIZATION= -e AZURE_PROJECT= -e AZURE_REPOSITORY=dependabot-test -e AZURE_ACCESS_TOKEN=*** -e AZURE_MERGE_STRATEGY=squash ghcr.io/tinglesoftware/dependabot-updater:0.18
...
2023-06-05T13:41:54.3531337Z Found 1 dependency file(s) at commit 3724e71509a02f4649922d6780dfeb014866351c
2023-06-05T13:41:54.3533117Z - /DependabotSandbox.csproj
2023-06-05T13:41:54.3533610Z Parsing dependencies information
2023-06-05T13:41:54.3540193Z Found 2 dependencies
2023-06-05T13:41:54.3540596Z - Newtonsoft.Json (13.0.2)
2023-06-05T13:41:54.3541307Z - Serilog (2.11.0)
...
2023-06-05T13:41:55.0990774Z Requirements to unlock own
2023-06-05T13:41:55.0991286Z Requirements update strategy
2023-06-05T13:41:55.0991600Z Updating Newtonsoft.Json is not allowed
2023-06-05T13:41:55.0996795Z Checking if Serilog 2.11.0 needs updating
...
2023-06-05T13:41:55.8878571Z Requirements to unlock own
2023-06-05T13:41:55.8879006Z Requirements update strategy
2023-06-05T13:41:55.8879299Z Updating Serilog is not allowed

However, removing the allow-section altogether makes both versions update as expected. Is is as if dependabot can't understand the conditions provided with DEPENDABOT_ALLOW_CONDITIONS, and so interprets the allow-section as empty, effectively disallowing all updates. But that's just a guess.

Is there anything that I've simply overlooked here? Is it a known problem?

[emahiq]

It seems like all allow-conditions require a dependency-type, as seen here.

I modified my dependabot.yml to this, where I added dependency-type: all:

version: 2
updates:
  - package-ecosystem: nuget
    directory: '/'
    schedule:
      interval: daily
    allow:
      - dependency-name: Newtonsoft.Json
        dependency-type: all

This works. However, the allow section in the dependabot docs on GitHub clearly show examples where only dependency-name is specified.

Is there a discrepancy here, where this extension mistakenly behaves differently from dependabot core? Or is this by design?

[mburumaxwell]

Thanks for reporting this

[mburumaxwell]

Just pushed release 0.19.0. It'd be great if you could test and report back.

[emahiq]

Sorry for the late reply, was on vacation @mburumaxwell

I haven't had time to test removing dependency-type: all from my allows yet, but I noticed that at the same of of this release, my allows are completely disregarded. Dependabot is creating PRs for all NuGet packages, whether they match an allow or not.

Here is my dependabot.yaml:

updates:
  - package-ecosystem: nuget
    directory: /ProjectName
    schedule:
      interval: daily
    allow:
      - dependency-name: Newtonsoft.Json
        dependency-type: all
      - dependency-name: MudBlazor
        dependency-type: all
      - dependency-name: Microsoft.NET.Test.Sdk
        dependency-type: all
      - dependency-name: xunit.*
        dependency-type: all
      - dependency-name: Moq
        dependency-type: all
      - dependency-name: coverlet.collector
        dependency-type: all
      - dependency-name: Amazon.*
        dependency-type: all
      - dependency-name: Polly.*
        dependency-type: all
      - dependency-name: Dapper
        dependency-type: all
      - dependency-name: Npgsql
        dependency-type: all
      - dependency-name: System.IdentityModel.Tokens.Jwt
        dependency-type: all
      - dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect
        dependency-type: all
      - dependency-name: Google.Protobuf
        dependency-type: all

Yet I've been getting PRs for e.g. AWSSDK.Lambda and Microsoft.Extensions.Configuration.Abstractions - none of which match any of the allows. Can I specify a version of dependabot to use until this is fixed? We're getting a lot of PRs that we have to reject right now.

[mburumaxwell]

In this case it is easier to use ignore.
The way the script works currently, ignore is checked before allow to ensure that ignore has the utmost say. Maybe this will change in the future but for now ignore is a much easier alternative.

[emahiq]

The list would be three times as long if I used ignores instead. Are you saying that allow doesn't work at all anymore? Or is there something with my particular setup that breaks it?

[mburumaxwell]

Recently we made a major change to an image per ecosystem. Since #711 happened before it, you cannot rollback effectively.

I will try and reproduce your issue but I cannot guarantee when that will be.
In the meantime, I encourage you try ignores but I will also reopen the issue for tracking.

[emahiq]

I understand. Thank you for the help! I'll see if we can work around this for now then.