Is there an existing issue for this?
Feature description
When Dependabot bumps a single Go dependency for a security fix, it does not check whether other direct or transitive dependencies in the module are API-compatible with the new version. This frequently results in build failures due to incompatible peer dependencies.
Examples observed:
Bumping google.golang.org/grpc to 1.79.3 while google.golang.org/api is pinned at v0.114.0 (incompatible APIs)
Bumping google.golang.org/grpc to 1.79.3 while google.golang.org/genproto is pinned to a 2020 version via a replace directive (incompatible)
Expected Behavior
When bumping a dependency for a security fix, Dependabot should:
Run go mod tidy after the bump to detect resolution failures
If the build fails due to incompatible peer dependencies, attempt to bump the minimum set of conflicting dependencies to compatible versions
If automatic resolution is not possible, clearly report the conflicting dependencies in the PR description so maintainers know what else needs updating
Current Workaround
Manually identify and bump conflicting dependencies, remove outdated replace directives, and run go mod tidy.
Impact
Security update PRs frequently fail CI, requiring manual investigation to identify which peer dependencies are incompatible. This adds significant toil and delays security remediation.
Is there an existing issue for this?
Feature description
When Dependabot bumps a single Go dependency for a security fix, it does not check whether other direct or transitive dependencies in the module are API-compatible with the new version. This frequently results in build failures due to incompatible peer dependencies.
Examples observed:
Bumping google.golang.org/grpc to 1.79.3 while google.golang.org/api is pinned at v0.114.0 (incompatible APIs)
Bumping google.golang.org/grpc to 1.79.3 while google.golang.org/genproto is pinned to a 2020 version via a replace directive (incompatible)
Expected Behavior
When bumping a dependency for a security fix, Dependabot should:
Run go mod tidy after the bump to detect resolution failures
If the build fails due to incompatible peer dependencies, attempt to bump the minimum set of conflicting dependencies to compatible versions
If automatic resolution is not possible, clearly report the conflicting dependencies in the PR description so maintainers know what else needs updating
Current Workaround
Manually identify and bump conflicting dependencies, remove outdated replace directives, and run go mod tidy.
Impact
Security update PRs frequently fail CI, requiring manual investigation to identify which peer dependencies are incompatible. This adds significant toil and delays security remediation.