dependabot doesn't work well for multi modules repository #6678
Comments
|
I can confirm I'm having the same issue in a project with multiple modules and I'm also seeing that dependabot is not updating the indirect dependencies of nested modules. |
jeffwidman
added
the
F: monorepo 📦
|
Thanks, and sorry for the frustrating experience here. However, this is already tracked under: So I'm going to close as a duplicate. Regarding your other questions:
In the abstract, you basically need custom post-processing of the PR based on the structure of your repo... that's probably best accomplished by using a custom GitHub action that watches for Dependabot PR's and then runs
We actually just added support for bumping indirect deps in However, bumping transitive deps is the non-default behavior because it's noisy, so you'll need to specifically Hopefully this helps, and if it's still confusing let us know so we can improve our docs. |
Thanks for the feedback. So we need to configure the dependabot.yml something like below if we want to bump both direct and indirect dependencies? |
|
Pretty sure you can use |
Thanks for the quick response. But it seems that the doc isn't correct. Anyway, let me try it out. |
|
Confirmed that |
Is there an existing issue for this?
Package ecosystem
gomod
Package manager version
No response
Language version
golang 1.19.5
Manifest location and content before the Dependabot update
dependabot.yml content
https://github.com/etcd-io/etcd/blob/main/.github/dependabot.yml
Updated dependency
No response
What you expected to see, versus what you actually saw
etcd is a multi-modules repository. The problem is each time dependabot automatically creates a PR for each module for exactly the same dependency. Let's work with an example. Multiple modules (e.g. client/v3, etcdctl, etcdutl, pkg, server, test ) depend on
github.com/dustin/go-humanize, so dependabot automatically creates the following PRs,Obviously it doesn't make sense. It makes more sense to do all of them in one PR.
Note the go modules are interrelated, and each module depends on the local version of other modules using the replace directive, e.g. go.mod#L6-L13
When you bump a dependency for one of the module (assuming A), and then execute
go mod tidyfor another module (assming B), the go.mod and go.sum of B may also change. So usually the PR submitted by dependabot will never pass the github workflow's test/validation.Is there any solution for such situation? Or what's the best practice for dependency management for multi-module (go module) repository?
We also attempt to remove non-root gomod dependabot rules as to as remove most of the spam. But the problem is some direct dependencies in sub-directories' go.mod files are marked as indirect dependencies in the top level go.mod file; and it seems that dependabot will not bump version for indirect dependencies. I did a simple experiment in ahrtr/deps, and confirmed that dependabot indeed doesn't bump indirect dependency ( github.com/stretchr/testify v1.7.1 in this experiment). Did I miss anything? Could anyone confirm this?
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: