Dependabot creates misleading links to PR's due to embedded changelog

[iliapolo]

Package manager/ecosystem

ALL

Manifest contents prior to update

Not Applicable

Updated dependency

Any

What you expected to see, versus what you actually saw

Dependabot PR's embed the changelog of the updated dependency in its PR body.

These changelogs often include text in the form of:

go: duplicate conversion functions when parent structs have the same base name (#2697) (52bd510), closes https://github.com/aws/jsii/issues/2632

This creates a closing relationship between the dependabot PR and the issue mentioned in the changelog.
This creates clutter and confusion, as the dependabot PR most certainly does not resolve the issue it mentions.

In addition, if the PR is approved/merged by a user that has permissions to both repositories, merging the dependabot PR will actually close the mentioned issue, which is not intended.

Images of the diff or a link to the PR, issue or logs

For example, the following dependabot PR in the aws-delivlib-sample repository, closed an issue in the jsii repository.

You can also see the amount of links created to this issue due to dependabot PR's in unrelated repositories.

I would expect dependabot PR's to not create any implicit links to other issues, and this indeed doesn't seem intentional, but rather a consequence of GitHub functionality.

[feelepxyz]

👋 @iliapolo this looks like a regression, we try to not backlink github links in dependabot PRs. Will take a look.

[feelepxyz]

@iliapolo we already fixed this here, just confirmed new PRs to update jsii-pacmak don't create backlinks anymore: cdklabs/cdk-watchful#399