Erroneously closing PRs in a major update groups due to "update no longer possible"

[judocode]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

9.6.5

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/judocode/dependabot-bug-version-types/blob/main/package.json

dependabot.yml content

https://github.com/judocode/dependabot-bug-version-types/blob/main/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

This is what the state of the pull requests should like (which you can see here), which should be as follows:

• Bump file-type from 19.6.0 to 20.0.0
• Bump upgrades group with 2 updates
• Bump the nest group with 3 updates

But what it actually looks like is (link to actual pull requests)

• Bump upgrades group with 2 updates

Both of these repositories have the same exact code in them. But in the first repository, I changed the dependabot file. I believe if I change the state of the dependabot.yml file in the second repository (even if inconsequentially), it will fall into this bug state where it will close the two missing PRs.

One very temporary workaround is if I rename every group, then it seems to kick things back into a good state, but any dependency change after that can make it fall back into the error state again, so it's a losing battle

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Action that closed the PR with message:

Telling backend to close pull request for the nest group (@nestjs/common, @nestjs/config, @nestjs/core) - update no longer possible

Job definition

{
  "job": {
    "allowed-updates": [{ "dependency-type": "direct", "update-type": "all" }],
    "commit-message-options": {
      "prefix": null,
      "prefix-development": null,
      "include-scope": null
    },
    "credentials-metadata": [{ "type": "git_source", "host": "github.com" }],
    "debug": null,
    "dependencies": ["@nestjs/common", "@nestjs/config", "@nestjs/core"],
    "dependency-groups": [
      {
        "name": "nest",
        "rules": { "patterns": ["@nestjs/*"], "update-types": ["major"] }
      },
      {
        "name": "upgrades",
        "rules": { "patterns": ["*"], "update-types": ["patch", "minor"] }
      }
    ],
    "dependency-group-to-refresh": "nest",
    "existing-pull-requests": [],
    "existing-group-pull-requests": [
      {
        "dependency-group-name": "upgrades",
        "dependencies": [
          {
            "dependency-name": "@apollo/server",
            "dependency-version": "4.11.3",
            "directory": "/"
          }
        ]
      },
      {
        "dependency-group-name": "nest",
        "dependencies": [
          {
            "dependency-name": "@nestjs/common",
            "dependency-version": "11.0.3",
            "directory": "/"
          },
          {
            "dependency-name": "@nestjs/config",
            "dependency-version": "4.0.0",
            "directory": "/"
          },
          {
            "dependency-name": "@nestjs/core",
            "dependency-version": "11.0.3",
            "directory": "/"
          }
        ]
      }
    ],
    "experiments": {
      "record-ecosystem-versions": true,
      "record-update-job-unknown-error": true,
      "proxy-cached": true,
      "move-job-token": true,
      "dependency-change-validation": true,
      "nuget-native-analysis": true,
      "nuget-use-direct-discovery": true,
      "enable-file-parser-python-local": true,
      "npm-v6-deprecation-warning": true,
      "npm-v6-unsupported-error": true,
      "python-3-8-deprecation-warning": true,
      "lead-security-dependency": true,
      "enable-record-ecosystem-meta": true,
      "enable-shared-helpers-command-timeout": true,
      "enable-fix-for-pnpm-no-change-error": true
    },
    "ignore-conditions": [],
    "lockfile-only": false,
    "max-updater-run-time": 2700,
    "package-manager": "npm_and_yarn",
    "proxy-log-response-body-on-auth-failure": true,
    "requirements-update-strategy": null,
    "reject-external-code": false,
    "security-advisories": [],
    "security-updates-only": false,
    "source": {
      "provider": "github",
      "repo": "judocode/dependabot-bug-version-types",
      "branch": null,
      "api-endpoint": "https://api.github.com/",
      "hostname": "github.com",
      "directories": ["/"]
    },
    "updating-a-pull-request": true,
    "update-subdependencies": false,
    "vendor-dependencies": false,
    "repo-private": false
  }
}

Relevant logs

2025/01/22 07:06:25 INFO <job_951885812> Updating the 'nest' group
updater | 2025/01/22 07:06:25 INFO <job_951885812> Updating the / directory.
updater | 2025/01/22 07:06:25 INFO <job_951885812> Skipping @nestjs/common as it has already been handled by a previous group
2025/01/22 07:06:25 INFO <job_951885812> Skipping @nestjs/config as it has already been handled by a previous group
updater | 2025/01/22 07:06:25 INFO <job_951885812> Skipping @nestjs/core as it has already been handled by a previous group
updater | 2025/01/22 07:06:25 INFO <job_951885812> No updated dependencies, closing existing Pull Request
updater | 2025/01/22 07:06:25 INFO <job_951885812> Telling backend to close pull request for the nest group (@nestjs/common, @nestjs/config, @nestjs/core) - update no longer possible

Smallest manifest that reproduces the issue

It doesn't seem possible to have a minimally reproduceable code as this bug surfaces when the dependabot.yml changes and I believe even other code / dependency changes as well, but I do have the following repository in that state: https://github.com/judocode/dependabot-bug-version-types

[judocode]

I am unfamiliar with this repo, but going to do some rubber ducking here and maybe through this process I solve this myself, who knows:
There is the log "No updated dependencies, closing existing Pull Request" that occurs right before this in the upsert_pull_request_with_error_handling method when dependency_change.updated_dependencies is empty.

Dependabot.logger.info("No updated dependencies, closing existing Pull Request")
close_pull_request(reason: :update_no_longer_possible, group: group)

If dependency_change.updated_dependencies do exist then it would enter the other method upsert_pull_request and I think I would expect it to hit that method, return true on dependency_change.matches_existing_pr? and ultimately run:

Dependabot.logger.info("Updating pull request for '#{group.name}'")
service.update_pull_request(dependency_change, dependency_snapshot.base_commit_sha)

Based on the comment of

Update the existing PR if the dependencies and the target versions remain the same

The other possibility is that upsert should have never been called. Looking further...

[judocode]

There is a previous log of "Skipping @nestjs/common as it has already been handled by a previous group", which I'm guessing is the root of this problem and causes dependency_change.updated_dependencies to be empty, which then triggers the pull request close.

[judocode]

Now I'm looking in the compile_all_dependency_changes_for which is what will build the previously mentioned dependency_change object and I see the suspect log "Skipping #{dependency.name} as it has already been handled by a previous group" which is driven by the following logic:

if dependency_snapshot.handled_dependencies.include?(dependency.name)

[judocode]

Because this won't happen the first time and only occurs upon future updates, I would guess dependency_snapshot.handled_dependencies is holding a cached value that it shouldn't from a previous dependabot update, or it is incorrectly considering a "handled_dependency" as an open PR

[judocode]

Fix is here: #11382

[sklakegg]

Hey, also have the same issue in Java. Every even time the schedule runs, it will close the PR with the same message. Every odd time it will just open a PR normally