Dependabot ignores constraints in .yml and package.json, creating PRs for minor version updates

[lakshmimsft]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

link to file: https://github.com/radius-project/radius/blob/main/typespec/package.json

{
  "name": "radius",
  "version": "0.1.0",
  "type": "module",
  "dependencies": {
    "@typespec/compiler": "~0.60.0",
    "@azure-tools/typespec-autorest": "~0.46.0",
    "@azure-tools/typespec-azure-core": "~0.46.0",
    "@azure-tools/typespec-azure-resource-manager": "~0.46.0",
    "@azure-tools/typespec-providerhub": "~0.46.0",
    "@typespec/http": "~0.60.0",
    "@typespec/openapi": "~0.60.0",
    "@typespec/rest": "~0.60.0",
    "@typespec/versioning": "~0.60.0"
  },
  "private": true,
  "author": "Radius Authors",
  "license": "Apache-2.0"
}

dependabot.yml content

link to file: https://github.com/radius-project/radius/blob/1f241e39854dc13523f4c486b7b4bd88d85828c1/.github/dependabot.yml#L31

 ...
  - package-ecosystem: "npm"
    directory: "/typespec/"
    schedule:
      interval: "weekly"
    groups:
      typespec:
        applies-to: version-updates
        patterns:
          - "*" # Matches all dependencies
        update-types:
          - "patch" # Only allow patch updates for regular version updates

Updated dependency

From: "@azure-tools/typespec-autorest": "~0.46.0"
To: "@azure-tools/typespec-autorest": "~0.48.0"

What you expected to see, versus what you actually saw

We referred to documentation docs-configuration and updated the package.json (using tilde) and the dependabot.yml configuration. Both files specify that only patch versions should be updated for dependencies under /typespec/ folder.
Expected: No PRs for dependencies in /typespec/ folder for major, minor version updates.
Actual: We see a new PR that came in today https://github.com/radius-project/radius/pull/8100/files with a suggestion to bump the dependency @azure-tools/typespec-autorest from version 0.46.0 to 0.48.0. Dependabot PR link
Pls advise if package.json/dependabot.yml needs further updates/this is a bug.

Native package manager behavior

NA

Images of the diff or a link to the PR, issue, or logs

Dependabot PR link

Smallest manifest that reproduces the issue

{
  "name": "radius",
  "version": "0.1.0",
  "type": "module",
  "dependencies": {
    "@typespec/compiler": "~0.60.0",
    "@azure-tools/typespec-autorest": "~0.46.0",
    "@azure-tools/typespec-azure-core": "~0.46.0",
    "@azure-tools/typespec-azure-resource-manager": "~0.46.0",
    "@azure-tools/typespec-providerhub": "~0.46.0",
    "@typespec/http": "~0.60.0",
    "@typespec/openapi": "~0.60.0",
    "@typespec/rest": "~0.60.0",
    "@typespec/versioning": "~0.60.0"
  },
  "private": true,
  "author": "Radius Authors",
  "license": "Apache-2.0"
}

[kernelsam]

Seeing a similar issue, dependabot is restricted to only patch versions: https://github.com/senzing-garage/sdk-components-ng/blob/main/.github/dependabot.yml#L21

ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major","version-update:semver-minor”]

And yet there is a PR bumping a minor version
senzing-garage/sdk-components-ng#720

The title of the PR is odd since it seems to think it is actually a minor version update: Bump tslib from 2.8.0 to 2.8.1

Yet the actual code change is bumping from 2.5.0 to 2.8.1
https://github.com/senzing-garage/sdk-components-ng/pull/720/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L74

[Sammy-T]

I tried to group minor and patch updates with:

groups:
      minor-and-patch:
        applies-to: version-updates
        update-types:
          - "minor"
          - "patch"

But dependabot is including major updates in the PR.

[brooke-hamilton]

Dependabot is ignoring the group specification and opening separate PRs for each npm dependency.