fix: handle duplicate dependency names in parseMetadataLinks#700
Merged
truggeri merged 2 commits intodependabot:mainfrom Apr 9, 2026
Merged
Conversation
When the same dependency name appears multiple times in a grouped update (e.g., picomatch updated via multiple transitive paths at different semver ranges), the Map in parseMetadataLinks would overwrite earlier entries, keeping only the last version pair for that name. This caused 2.3.2), incorrectly classifying patch bumps as major updates. Changed parseMetadataLinks to store an array of version pairs per dependency name (Map<string, dependencyVersions[]>) and added a per-name counter in the consumer to retrieve the correct entry for each YAML dependency in order. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes incorrect update-type classification when the same dependency name appears multiple times in Dependabot metadata links by preserving all version pairs and consuming them deterministically.
Changes:
- Update
parseMetadataLinks()to store multiple version pairs per dependency name (Map<string, dependencyVersions[]>) instead of overwriting. - Add per-dependency occurrence counters in the YAML consumer to select the correct version pair for each repeated dependency entry.
- Add a regression test covering duplicate
picomatchentries at different major ranges (2.x and 4.x).
Show a summary per file
| File | Description |
|---|---|
| src/dependabot/update_metadata.ts | Store multiple metadata-link version pairs per dependency name and consume them via per-name indexing. |
| src/dependabot/update_metadata.test.ts | Add test ensuring duplicate dependency names don’t mix version pairs and update types remain correct. |
| dist/index.js | Update compiled output to reflect the TypeScript changes. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/3 changed files
- Comments generated: 1
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
truggeri
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
parseMetadataLinks()uses aMap<string, dependencyVersions>to store version info parsed from metadata links in the commit message. When the same dependency name appears multiple times (e.g.,picomatchupdated via multiple transitive paths at different semver ranges like v2.x and v4.x), the Map's.set()overwrites earlier entries, keeping only the last version pair.This causes
calculateUpdateType()to compare mismatched versions, potentially classifying a patch bump as a major update.Fix
parseMetadataLinksreturn type toMap<string, dependencyVersions[]>— stores an array of version pairs per dependency namenameCountersMap) to retrieve the correct version entry for each YAML dependency, matching the order they appear in metadata linksTest
Added a test case reproducing the exact scenario:
picomatchentries at different semver ranges (2.3.1→2.3.2 and 4.0.1→4.0.2)semver-patchFixes #699