Dependabot opens pull requests with conflicts

[localheinz]

Package manager/ecosystem

composer

Manifest contents prior to update

In an effort to reduce the total number of builds I reduced the open-pull-requests-limit from 10 to 1. Since then Dependabot frequently opens pull requests that

• have conflicts in composer.lock from the outset
• do not trigger builds

I am not sure what the problem is, but I have seen this frequently since I made the change.

Here's an example:

ergebnis/composer-normalize#634

[thepwagner]

This just seems like a known edge case in Dependabot: pull requests are created by applying updates to files from a particular commit.
If the repository's base branch is updated (in this example, by merging ergebnis/composer-normalize#633 ?) while the PR based on the previous commit is being created by Dependabot, the resulting PR will be in conflict.
Composer's slow processing speed makes this worse, by increasing the time between the base branch is retrieved and the resulting PR is opened.

I don't think the open-pull-requests-limit setting should play a role here?

Not triggering builds is related to GitHub Actions: Actions does not trigger builds for pull requests that have conflicts. This is just another symptom of the first problem.

---

In an effort to reduce the total number of builds

cc grouped updates #1190

[localheinz]

@thepwagner

When

• I use open-pull-requests-limit: x
• Dependabot processed a repository and has determined multiple dependencies require an update

it appears to me as if

• Dependabot prepares y pull requests in parallel (with y potentially greater than x)
• Dependabot opens x pull requests

where I would expect

1. Dependabot prepares at most x pull requests in parallel
2. Dependabot opens at most x pull requests
3. after a merge, Dependabot checks dependencies again and, if necessary, continues at 1.

So for example, when x is 1:

1. Dependabot prepares 1 pull request
2. Dependabot opens 1 pull request
3. after a merge, Dependabot checks dependencies again and, if necessary, continues at 1.

What do you think?

[thepwagner]

@localheinz that's correct: the pull request limit is enforced when pull requests are sent to github.com, not during Dependabot's calculation of the required diffs.
The implications are worse than noted: Dependabot will prepare y pull requests every run, even if there already are >= x pull requests opened when it began.

Thanks for the clearly stated expectations. Meeting them will take some major changes to Dependabot's architecture, which may take a while.

[localheinz]

@thepwagner

Any news on this issue?

[deivid-rodriguez]

I think we have actually fixed this issue recently though some internal changes. I'm going to tentatively close this, but please reopen if you're still running into this. Thanks!