Fix combined_version to prefer higher version when merging duplicate dependencies#15507
Open
thavaahariharangit with Copilot wants to merge 11 commits into
Open
Fix combined_version to prefer higher version when merging duplicate dependencies#15507thavaahariharangit with Copilot wants to merge 11 commits into
thavaahariharangit with Copilot wants to merge 11 commits into
Conversation
…dependencies
When the same dependency appears in multiple files (e.g., requirements.txt and
constraints.txt) with different pinned versions, DependencySet.combined_version
now picks the higher version instead of the lower one.
This fixes a bug where the dependency graph job would report a vulnerable
version from a constraint file even though the main requirements file had
been updated to a non-vulnerable version, preventing Dependabot alerts from
transitioning to "fixed".
Closes github/dependabot-updates#13931
Co-authored-by: thavaahariharangit <164553783+thavaahariharangit@users.noreply.github.com>
With the combined_version fix preferring higher versions, update the test expectation from "2.0.0" (constraint version) to "2.4.1" (requirements.txt version) when both files pin the same dependency at different versions. Co-authored-by: thavaahariharangit <164553783+thavaahariharangit@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix Dependabot alert not transitioning to fixed status
Fix combined_version to prefer higher version when merging duplicate dependencies
Jul 6, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request updates Dependabot’s shared DependencySet merging behavior so that when duplicate dependencies with the same top-level status are merged, the higher valid version is retained in the combined dependency’s version field. This primarily affects snapshot/reporting scenarios (e.g., dependency graph “fixed” transitions) rather than per-file update behavior.
Changes:
- Adjust
DependencySet#combined_versionto prefer the higher version when both versions are valid and have equal precedence. - Update the Python file parser spec to expect the combined dependency version to reflect the higher pinned requirement when both requirement and constraint entries exist.
- Clarify the Python helper test description/comment around parsing constraint files.
Show a summary per file
| File | Description |
|---|---|
| common/lib/dependabot/file_parsers/base/dependency_set.rb | Changes the final tiebreaker in combined_version so the higher version wins when merging duplicates. |
| python/spec/dependabot/python/file_parser_spec.rb | Updates expectations for the combined dependency version when both requirements and constraints specify versions. |
| python/helpers/test/test_parse_requirements.py | Updates test docstring/comment wording around constraint-file parsing behavior. |
Review details
- Files reviewed: 3/3 changed files
- Comments generated: 1
- Review effort level: Low
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
When the same dependency appears in multiple files (e.g.,
requirements.txtpinsurllib3==2.7.0andconstraints.txtpinsurllib3==2.5.0),DependencySet#combined_versionalways kept the lower version. This caused the dependency graph snapshot to report the vulnerable version even after the user updated their manifest, preventing alerts from transitioning to "fixed".The fix swaps the version preference so the higher version wins when both entries have the same top-level status:
Anything you want to highlight for special attention from reviewers?
common/infrastructure, so it impacts multiple ecosystems. In this PR we updated affected expectations in Python, Maven, Gradle, GitHub Actions, and npm/yarn lockfile/parser/resolver specs.:all_versionsflattening and subdependency lockfile filtering logic so duplicate-version lockfiles are handled consistently.How will you know you've accomplished your goal?
common/spec/dependabot/file_parsers/base/dependency_set_spec.rbpasses with the higher-version behavior.Checklist
Review follow-ups
DependencySetchange required expectation updates across Python, Maven, Gradle, GitHub Actions, and npm/yarn specs.:all_versionsmetadata inbun/helpers.rbbun/sub_dependency_files_filterer.rb