Dependabot ignores maven exclusions

[turing85]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

maven

Package manager version

maven 3.8.7

Language version

Java 17

Manifest location and content before the Dependabot update

https://github.com/quarkiverse/quarkus-artemis/blob/main/pom.xml
https://github.com/quarkiverse/quarkus-artemis/blob/main/build-parent/pom.xml
https://github.com/quarkiverse/quarkus-artemis/blob/main/integration-tests/camel-jms/pom.xml

dependabot.yml content

https://github.com/quarkiverse/quarkus-artemis/blob/main/.github/dependabot.yml

Lines of relevance:

• 21-22
• 33-34
• 44-45
• 57-58

Updated dependency

io.quarkus:quarkus-bom:

• from 2.16.12 to 3.9.2: Bump quarkus.version from 2.16.12.Final to 3.9.2 quarkiverse/quarkus-artemis#470
• from 3.2.11 to 3.9.2: Bump quarkus.version from 3.2.11.Final to 3.9.2 quarkiverse/quarkus-artemis#465
• from 3.7.4 to 3.9.2: Bump quarkus.version from 3.7.4 to 3.9.2 quarkiverse/quarkus-artemis#466
• from 3.8.3 to 3.9.2: Bump quarkus.version from 3.8.3 to 3.9.2 quarkiverse/quarkus-artemis#469

What you expected to see, versus what you actually saw

Expected:

The pull requests above should not have been opened.

Actual:

The pull requests were opened.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

See above.

Smallest manifest that reproduces the issue

No response

Additional information

• We recently changed the dependabot.yml in two commits, adding additional exclusions to two branches:

  • 049920df4ee580075d519b8b5ce0dbecd858a21f
  • 1242e44ed420779e1e77f66754601561dc839b62

• It is only io.quarkus:quarkus-bom that is stepping out of line. Dependency io.quarkus.platform:quarkus-camel-bom (which uses the same mechanism) behaves as expected.

[lkreimann]

We have the same issue with JavaScript dependencies in some of our repositories. Unfortunately they are private repositories, so I can't give a lot of details to reproduce this issue.

[turing85]

Next round of MRs behaved the same:

• from 2.16.12 to 3.9.3: Bump quarkus.version from 2.16.12.Final to 3.9.3 quarkiverse/quarkus-artemis#480
• from 3.2.11 to 3.9.3: Bump quarkus.version from 3.2.11.Final to 3.9.3 quarkiverse/quarkus-artemis#478
• from 3.7.4 to 3.9.3: Bump quarkus.version from 3.7.4 to 3.9.3 quarkiverse/quarkus-artemis#481
• from 3.8.3 to 3.9.3: Bump quarkus.version from 3.8.3 to 3.9.3 quarkiverse/quarkus-artemis#479

[turing85]

It seems that dependabot is aware of the ignore condition, but did not apply it: quarkiverse/quarkus-artemis#481 (comment)

[turing85]

I dug through the logs of dependabot. The logs say that "All updates for io.quarkus:quarkus-bom were ignored". But, for example, for io.quarkus:quarkus-maven-plugin (which shares its version with io.quarkus:quarkus-bom), the logs do not show such a message. This seems to be the root cause why those dependencies get updated.

[turing85]

For anyone having the issue: we were able to work around this with this MR: quarkiverse/quarkus-artemis#484. The important part is that we ignore io.quarkus:* instead of only ignoring io.quarkus:quarkus-bom.