feat: Parse versions from metadata links#632
Merged
Merged
Conversation
Dependabot PRs that update a **single** dependency include version details in the commit message introduction, e.g., > "Bumps `<dependency>` from `<prevVersion>` to `<newVersion>`" This is the format generated by the [`commit_message_intro`](https://github.com/dependabot/dependabot-core/blob/cc4b4eaade37da0a19e0897e6897bab613064e74/common/lib/dependabot/pull_request_creator/message_builder.rb#L320-L325) method in Dependabot Core. However, when **multiple dependencies** are updated in a single PR, this format isn't used consistently, which limits the action’s ability to extract accurate version information. This change improves version parsing for multi-dependency PRs by introducing two additional detection strategies: 1. **YAML metadata parsing** Dependabot includes a YAML block in the commit message with structured details for each updated dependency: ```yaml updated-dependencies: - dependency-name: commons-codec:commons-codec dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: non-breaking ``` This is the most reliable and stable source for the **new** version of each dependency, though it does **not** include the previous version. 2. **Metadata links parsing** In multi-dependency updates, Dependabot also appends “metadata links” with a format like: > "Updates `<dependencyName>` from `<prevVersion>` to `<newVersion>`" These lines are generated bythe [`metadata_links`](https://github.com/dependabot/dependabot-core/blob/cc4b4eaade37da0a19e0897e6897bab613064e74/common/lib/dependabot/pull_request_creator/message_builder.rb#L664-L678) method and provide **both** the old and new versions. By combining these sources, the action now supports version parsing for PRs with multiple updated dependencies—broadening its coverage and improving reliability. Closes dependabot#402
jeffwidman
previously approved these changes
Jul 1, 2025
jeffwidman
left a comment
Member
There was a problem hiding this comment.
This looks good to me, other than not understanding the comment syntax?
I'd appreciate if @JamieMagee took a quick look as well since he worked on exposing some of this metadata as he may be aware of some additional context
JamieMagee
approved these changes
Jul 1, 2025
Contributor
Author
|
Hi @jeffwidman, Just a gentle reminder about this PR. Since we switched to compulsory reviews, handling Dependabot PRs (which previously merged automatically with changelog entries) has become more time-consuming. This change (along with apache/logging-parent#419) is part of the approach we devised to streamline things by grouping updates and reviewing them as a single PR. Would you have an idea when this might be merged and included in a release? Thanks! |
|
Very much looking forward to this, thank you @ppkarwasz |
tekumara
reviewed
Oct 10, 2025
ppkarwasz
added a commit
to ppkarwasz/infrastructure-actions
that referenced
this pull request
Oct 26, 2025
…etadata` This PR allows the usage of the `ppkarwasz/fetch-metadata` GitHub Action as an alternative to `dependabot/fetch-metadata` in ASF repositories. The `ppkarwasz/fetch-metadata` action is a personal improvement of the original `dependabot/fetch-metadata`, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released. ### Why this change is needed In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR. Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be: * manually reviewed, * updated with an empty commit to re-trigger required status checks, * and merged by hand. We already have an improved workflow in place (see apache/logging-parent#419) that provides: * **Security enhancements** through separation of privileged and unprivileged workflows (`ppkarwasz/fetch-metadata` is used only in the unprivileged workflow), * **Automatic merge using `auto-merge` instead of manual merging**, and * **Support for grouped Dependabot PRs** (reducing noise to ~1 PR per repository per month). The final item, grouped PR support, requires the `ppkarwasz/fetch-metadata` action.
6 tasks
truggeri
reviewed
Dec 22, 2025
Contributor
Author
|
Hi @truggeri, Thank you very much for merging this. Any idea when will version In the meantime, hope you have a great holiday season. |
Contributor
|
@ppkarwasz v2.5.0 was released yesterday. |
Contributor
Author
Contributor
|
You're right, v2.5 didn't include this change. Intentional would be a bit strong 😕 , more of an oversight 😬 |
5 tasks
cmeans-claude-dev Bot
added a commit
to cmeans/mcp-synology
that referenced
this pull request
Apr 26, 2026
Closes the auto-CHANGELOG empty-versions bug surfaced by live Dependabot PR #59. Root cause: dependabot/fetch-metadata@v2.5.0 returns empty-string prevVersion / newVersion for every package in a grouped update. The workflow's inline Python used d.get('prevVersion', '?'), which only falls back on missing keys — empty strings render as nothing. Upstream PR dependabot/fetch-metadata#632 (shipped v3.0.0, refined v3.1.0) added body-metadata parsing for multi-dependency PRs, so the durable fix is just the SHA bump: dependabot/fetch-metadata 21025c705c08248db411dc16f3619e6b5f9ea21a (v2.5.0) → 25dd0e34f4fe68f24cc83900b1fe3fe149efef98 (v3.1.0) No inline-Python changes needed. v3 also requires Node.js 24 as the Actions runtime, clearing the Node.js-20 deprecation warning the v2 line was emitting on every run. Verification gate (per don't-propagate-unverified-fixes rule): 1. ✅ Land this fix on main 2. @dependabot recreate PR #59 3. Confirm the recreated PR's CHANGELOG entry reads correctly 4. ONLY THEN consider cascading the broader Dependabot-PR-hygiene work + the doubled-prefix fix from #57 to cmeans/pypi-winnow-downloads Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 15, 2026
This was referenced May 15, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependabot PRs that update a single dependency include version details in the commit message introduction, e.g.,
This is the format generated by the
commit_message_intromethod in Dependabot Core.However, when multiple dependencies are updated in a single PR, this format isn't used, which limits the action’s ability to extract accurate version information.
This change improves version parsing for multi-dependency PRs by introducing two additional detection strategies:
YAML metadata parsing Dependabot includes a YAML block in the commit message with structured details for each updated dependency:
This is the most reliable and stable source for the new version of each dependency, though it does not include the previous version.
Metadata links parsing In multi-dependency updates, Dependabot also appends “metadata links” with a format like:
These lines are generated bythe
metadata_linksmethod and provide both the old and new versions.By combining these sources, the action now supports version parsing for PRs with multiple updated dependencies—broadening its coverage and improving reliability.
Closes #402