Wrongly reported dependency changes in GitHub app

[karfau]

Hey there, I hope this issue is in the correct place. Happy to report it in a different place, let me know where.

I have recently found more and more comments by the GitHub App that claim a dependency has been removed in a pure dependency upgrade PR.

There are plenty of examples in the xmldom repo

but the most recent on is here:
xmldom/xmldom#521 (comment)

All of these are really bumping a dependency version, not dropping it.

I'm currently assuming this also relates to issues where already approved issues have to be approved again, but I don't have an example I can share of that right now. (And maybe this is a separate issue? But I think it makes sense to first solve this one.)

[karfau]

From my perspective this issues is ruining your reputation as a reliable source of information.
To avoid that effect, I'm starting to disable the GitHub App in some repositories, to avoid the noise and misinformation.

[karfau]

Today I received a report/comment that claims an updated version of a dependency is new:
xmldom/xmldom#526 (comment)

Maybe it's a different issue or just unfortunate wording, but the dependency was upgrades as you can see from the diff.

[karfau]

Is there any chance that you are looking into this?
This seems to still be the case after your announcement regarding improved reporting.

This is especially annoying since it renders the "new capabilities" and change in number of transient deps feature useless: if an updated version counts as removed and new version, all capabilities and transient deps of the new version always count as new.

[karfau]

I have now seen the same thing happening for a python package upgrade. So maybe this is the wrong repo for the report?

[reberhardt7]

Hi Christian, I'm an engineer at Socket and I'd be happy to look into this. Can you let me know more details about where you're seeing this? Feel free to email me at ***@***.*** if the details are private.On Mar 30, 2024, at 11:08 PM, Christian Bewernitz ***@***.***> wrote: I have now seen the same thing happening for a python package upgrade. So maybe this is the wrong repo for the report? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[karfau]

@reberhardt7 here is the most recent example from the public xmldom repository:
xmldom/xmldom#643
This is a simple example since the updated packages does not have a lot of dependencies.
Here is a slightly more involved example from the same repo:
xmldom/xmldom#629 (comment)

What other details do you need?