Minor version increase with security + non-security updates does not have security label applied #11695
Open
1 task done
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package ecosystem
yarn
Package manager version
4.6.0
Language version
Node.js v18.20.5
Manifest location and content before the Dependabot update
Package JSON /web-client/package.json
dependabot.yml content
Private repository. Happy to provide access where required, but it's not generally applicable to this bug.
https://github.com/StileEducation/dev-environment/blob/master/.github/dependabot.yml
Updated dependency
MathLive, 0.103.0 to 0.104.0.
What you expected to see, versus what you actually saw
The security label applied to the PR, even though it contained both security and non-security updates in one version bump.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Not our repository, but this is an example of the dependency update elsewhere without the label: cortex-js/cortexjs.io#62
Our repository:
I actually suspect this is because of the following line https://github.com/dependabot/dependabot-core/blob/754c5bccfd78917dc28caa1fc1ee12be3207d592/updater/lib/dependabot/updater/operations/create_security_update_pull_request.rb#L25C15-L25C36 which expects to upgrade versions minimally, but this is the minimal version.
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: