grouped updates didn't group gomod updates

[wadey]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

gomod

Package manager version

No response

Language version

1.20

Manifest location and content before the Dependabot update

go.mod: https://github.com/slackhq/nebula/blob/06b480e17751eb5d719ec85cb34e1abd51280a64/go.mod

dependabot.yml content

https://github.com/slackhq/nebula/blob/06b480e17751eb5d719ec85cb34e1abd51280a64/.github/dependabot.yml

Updated dependency

• Bump golang.org/x/term from 0.11.0 to 0.12.0: Bump golang.org/x/term from 0.11.0 to 0.12.0 slackhq/nebula#967
• Bump golang.org/x/sys from 0.11.0 to 0.12.0: Bump golang.org/x/sys from 0.11.0 to 0.12.0 slackhq/nebula#968

What you expected to see, versus what you actually saw

These dependencies should have been grouped together. My dependabot config has the follow, so I expected them to be grouped with golang-x-dependencies:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      golang-x-dependencies:
        patterns:
          - "golang.org/x/*"
      zx2c4-dependencies:
        patterns:
          - "golang.zx2c4.com/*"
      protobuf-dependencies:
        patterns:
          - "github.com/golang/protobuf"
          - "google.golang.org/protobuf"

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[sglavoie]

We experienced the same situation in a (private) project using npm with a different set of patterns (irrelevant context removed):

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    groups:
      dev-dependencies:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"

We expected to see something like Bump the dev-dependencies group with X updates and yet Dependabot opened multiple PRs that should have been grouped:

Bump core-js from 3.32.1 to 3.32.2
Bump @fluentui/react-components from 9.29.4 to 9.30.4
Bump javascript-obfuscator from 4.0.2 to 4.1.0

---

Edit: We closed all existing pull requests from Dependabot, re-committed dependabot.yml and then it worked. When navigating to https://github.com/{owner}/{repo}/network/updates (Insights > Dependency graph > Dependabot) and checking the results for the last scan, we can find in the update logs the keywords "Starting grouped update", which weren't present on the previous run that didn't group updates.

[jakecoffman]

@wadey I checked the database and it didn't have a record of the groups in the dependabot.yml for slackhq/nebula, so I kicked off a resync job and now it's showing the groups.

@sglavoie Yes this sounds like the same problem since it was fixed by modifying dependabot.yml.

Usually a whitespace change to the dependabot.yml will fix it as well.

I think Dependabot's service somehow missed the message that the dependabot.yml was updated so the new groups weren't processed. I'm going to reference this in an internal tracking issue, we've been looking at making some improvements around this to prevent it from happening.

Thanks for the report!