dependency-type: development updates even production dependencies in composer ecosystem

[janedbal]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

composer

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

• https://github.com/shipmonk-rnd/phpstan-rules/blob/e9ddbc73a656850769e95c6e241532e37da69802/composer.json
• https://github.com/shipmonk-rnd/phpstan-rules/blob/e9ddbc73a656850769e95c6e241532e37da69802/composer.lock

dependabot.yml content

• https://github.com/shipmonk-rnd/phpstan-rules/blob/e9ddbc73a656850769e95c6e241532e37da69802/.github/dependabot.yml

Updated dependency

phpstan/phpstan

What you expected to see, versus what you actually saw

The actual meaning of dependency-type: development is poorly documented, but I'd assume it should update only dev deps and not production deps, otherwise it would be useless.

Here is a PR that shows it updates even production dependencies (phpstan/phpstan in this case).

I believe dependabot should execute composer update dev/dependency1 dev/dependency2 dev/dependency3 dev/dependency4 (list all dev depenendencies from require-dev) to achieve only dev deps being updated.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

• dependabot PR: Bump the dev-dependencies group with 3 updates shipmonk-rnd/phpstan-rules#236

Smallest manifest that reproduces the issue

No response

[janedbal]

Also, the update of phpstan/phpstan is not listed in the PR description.