-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go: Transitive dependency failures block Dependabot from opening any PR's #4591
Comments
What version of |
This occurs across several repos in our organization, but most are on 1.16 I believe. |
We've hit a similar issue in the past due to deleted versions, but for a direct dependency even: freifunkMUC/wg-embed#3
Ideally Dependabot could recover itself from this situation and just update the version to the latest one, if it can't fetch a differential changelog / commit log in this case so be it, better than being stuck forever. Technically a different issue with direct<->indirect dependencies, but I think it's the same category of "Dependabot should keep (mostly) working if it encounters non-fatal errors". |
👋 sorry for the slow response. A couple of thoughts:
I don't think there's much we can / should do here, so I'm going to close as won't fix, but if for some reason I'm wrong, please comment and we can re-open. |
Package ecosystem
gomod
Package manager version
1
Language version
N/A
Manifest location and content prior to update
The manifest lives in a private repo, so I will give an abbreviated example:
dependabot.yml content
What you expected to see, versus what you actually saw
In the example I gave, I would expect a pull request to be opened on my repository to bump the AWS dependency to the latest, since there are many newer versions than 1.0.0. However, the fact that the
go-auth0
dependency has been deleted off of Github causes Dependabot to print a bunch of error logs likebefore eventually giving up on the retries. No pull requests get opened, but I would expect that despite this partial failure, dependabot could still open one for the aws-sdk dependency.
This is of course a toy example: since the dependency has been deleted from GitHub, there is no reason for me to list
github.com/auth0-community/go-auth0
in mygo.mod
file. The challenge comes from the fact that in production, I have a version-tagged gomod dependencygithub.com/myorg/myproject v1.1.4
, which itself has a dependency ongithub.com/auth0-community/go-auth0
: since theauth0
repo has been deleted, dependabot fails to open any PR's.The text was updated successfully, but these errors were encountered: