Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate list of blocking upstream dependencies? #1340

Closed
jywarren opened this issue Aug 21, 2019 · 2 comments
Closed

Generate list of blocking upstream dependencies? #1340

jywarren opened this issue Aug 21, 2019 · 2 comments
Labels
F: pull-requests Issues about Dependabot pull requests F: security-updates 🔐 Issues specific to security updates T: feature-request Requests for new features

Comments

@jywarren
Copy link

I'm trying to update past a critical severity alert, but got the message Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.

That makes sense, and I can look through yarn.lock to see what dependencies must be updated to allow dependabot to create the PR, but it's laborious and error-prone to do this manually. I was wondering if there could be a feature to somehow list out which dependencies are blocking the critical severity one, and offer to open PRs for those too, to make a kind of tree of pre-dependencies (for lack of a better term). This could fast-track a course of action which addresses critical severity alerts.

Right now, we have a lot of dependabot PRs which we work through as we're able to, but we're not aware of if we're making progress towards the critical severity ones.

Thanks, we ❤️ dependabot!
@stale stale bot added the wontfix label Oct 23, 2019
@feelepxyz feelepxyz added the T: feature-request Requests for new features label Oct 23, 2019
@stale stale bot removed the wontfix label Oct 23, 2019
@codingthat
Copy link

I would love a fix for this. Recently encountered this on a default project generated for the popular Express framework: expressjs/generator#258 I'm sure Dependabot knows what the conflict is...it'd be super helpful to have it share the details! :)

@codingthat codingthat mentioned this issue Apr 22, 2020
Closed
@infin8x infin8x added the F: pull-requests Issues about Dependabot pull requests label Jul 20, 2020
@dependabot dependabot deleted a comment from stale bot Jan 30, 2023
@jeffwidman jeffwidman added the F: security-updates 🔐 Issues specific to security updates label Jan 30, 2023
@jeffwidman
Copy link
Member

We shipped a lot of improvements for this behavior with the NPM ecosystem:

It's not a complete fix, but it addresses many of the scenarios that resulted in blocked updates.

While this issue makes sense in theory, it's not very actionable. It doesn't specify which ecosystem... much of this unlocking logic is custom per-ecosystem, so we need to know where it's being hit. And generally Dependabot doesn't know what is blocking--if it did, it'd include it in the PR. Instead, what may be happening is we may get a log message that Dependabot hasn't been taught how to parse, so it's simply treating it as a wall of text that we expose in the job logs.

So I'm going to close this, and if you do hit this in specific situations, please file a new bug and include more specifics so we can figure out the actual blocking bug for that particular scenario.

@jeffwidman jeffwidman closed this as not planned Won't fix, can't repro, duplicate, stale Jan 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
F: pull-requests Issues about Dependabot pull requests F: security-updates 🔐 Issues specific to security updates T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@feelepxyz @jywarren @jeffwidman @infin8x @codingthat