Dependabot ignore semantic version not working with latest dependabot-updater-maven

[phuc98ute]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

maven

Package manager version

maven

Language version

Java

Manifest location and content before the Dependabot update

https://github.com/phuc98ute/dependabot-ignore-major/blob/main/pom.xml

dependabot.yml content

Ref here: https://github.com/phuc98ute/dependabot-ignore-major/blob/main/.github/dependabot.yml

Updated dependency

org.mockito:mockito-core from 4.11.0 to 5.0.0

What you expected to see, versus what you actually saw

• Expect no version update for org.mockito:mockito-core.
• Actual: The dependabot create PR to upgrade depedency to next major version 5.0.0
  On the github action log, it show that the updater received correct ignore version config at here and here. However, it found a latest version 5.0.0 and decide to upgrade version from 4.11.0 to 5.0.0 here

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

phuc98ute/dependabot-ignore-major#1

Smallest manifest that reproduces the issue

Please ref to public demo repo here: https://github.com/phuc98ute/dependabot-ignore-major

[ralfkonrad]

Same here:

      - dependency-name: "org.apache.mina:mina-core"
        update-types:
          - "version-update:semver-major"

got ignored.

Also, dependabot create a PR for Bump jakarta.inject:jakarta.inject-api from 2.0.1 to 2.0.1.MR which is actually a step backwards rather than forward.

[nabeelpaytrix]

We've noticed this too, is there an immediate workaround, e.g. reverting the Dependabot version we are using? Do you have a known working version?

[phuc98ute]

We've noticed this too, is there an immediate workaround, e.g. reverting the Dependabot version we are using? Do you have a known working version?

@nabeelpaytrix do you know any way to specify version for dependabot-updater-maven on dependabot v2?
I believe we should try with 2 days ago version: v2.0.20240917210021

[phuc98ute]

@amazimbe sorry for this inconvenience.
I see the latest merged PR is your end Use new implementation of Maven version standard, so I hope you have useful information to address the reported issue.
It has a significant impact on our project with many repos were upgraded to the wrong version.

[jmax01]

Yesterday evening there were 11...

[amazimbe]

@amazimbe sorry for this inconvenience. I see the latest merged PR is your end Use new implementation of Maven version standard, so I hope you have useful information to address the reported issue. It has a significant impact on our project with many repos were upgraded to the wrong version.

@phuc98ute the issue with the ignore conditions seems to be present even in versions prior to merging the PR you cited. I run an older version of dependabot against phuc98ute/dependabot-ignore-major and got

+---------------------------------------------------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+-----------------------------------------------------------------------------+
updater | | created | org.springframework.boot:spring-boot-starter-parent ( from 3.3.3 to 3.3.4 ) |
updater | | created | org.mockito:mockito-core ( from 4.11.0 to 5.13.0 ) |
updater | +---------+-----------------------------------------------------------------------------+

[amazimbe]

Also, dependabot create a PR for Bump jakarta.inject:jakarta.inject-api from 2.0.1 to 2.0.1.MR which is actually a step backwards rather than forward.

The issue with the 2.0.1.MR version is expected and was explained on this discussion #10626 . Basically, we decided to follow the maven specification for version identifiers. In this spec, MR is not one of the supported qualifiers for prereleases or development versions.