from to ."...">

feat: Parse versions from metadata links by ppkarwasz · Pull Request #632 · dependabot/fetch-metadata (original) (raw)

@ppkarwasz

Dependabot PRs that update a single dependency include version details in the commit message introduction, e.g.,

"Bumps <dependency> from <prevVersion> to <newVersion>" This is the format generated by the commit_message_intro method in Dependabot Core.

However, when multiple dependencies are updated in a single PR, this format isn't used consistently, which limits the action’s ability to extract accurate version information.

This change improves version parsing for multi-dependency PRs by introducing two additional detection strategies:

  1. YAML metadata parsing Dependabot includes a YAML block in the commit message with structured details for each updated dependency:

    updated-dependencies:
- dependency-name: commons-codec:commons-codec
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking

    This is the most reliable and stable source for the new version of each dependency, though it does not include the previous version.

  2. Metadata links parsing In multi-dependency updates, Dependabot also appends “metadata links” with a format like:

    "Updates <dependencyName> from <prevVersion> to <newVersion>" These lines are generated bythe metadata_links method and provide both the old and new versions.

By combining these sources, the action now supports version parsing for PRs with multiple updated dependencies—broadening its coverage and improving reliability.

Closes dependabot#402

@ppkarwasz

@ppkarwasz

@ppkarwasz

@ppkarwasz

JamieMagee

@ppkarwasz

tekumara

ppkarwasz added a commit to ppkarwasz/infrastructure-actions that referenced this pull request

Oct 26, 2025

@ppkarwasz

…etadata`

This PR allows the usage of the ppkarwasz/fetch-metadata GitHub Action as an alternative to dependabot/fetch-metadata in ASF repositories.

The ppkarwasz/fetch-metadata action is a personal improvement of the original dependabot/fetch-metadata, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released.

Why this change is needed

In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR.

Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be:

  • manually reviewed,
  • updated with an empty commit to re-trigger required status checks,
  • and merged by hand.

We already have an improved workflow in place (see apache/logging-parent#419) that provides:

  • Security enhancements through separation of privileged and unprivileged workflows (ppkarwasz/fetch-metadata is used only in the unprivileged workflow),
  • Automatic merge using auto-merge instead of manual merging, and
  • Support for grouped Dependabot PRs (reducing noise to ~1 PR per repository per month).

The final item, grouped PR support, requires the ppkarwasz/fetch-metadata action.

@truggeri

truggeri

cmeans-claude-dev Bot added a commit to cmeans/mcp-synology that referenced this pull request

Apr 26, 2026

@cmeans-claude-dev @claude

Closes the auto-CHANGELOG empty-versions bug surfaced by live Dependabot PR #59.

Root cause: dependabot/fetch-metadata@v2.5.0 returns empty-string prevVersion / newVersion for every package in a grouped update. The workflow's inline Python used d.get('prevVersion', '?'), which only falls back on missing keys — empty strings render as nothing.

Upstream PR dependabot/fetch-metadata#632 (shipped v3.0.0, refined v3.1.0) added body-metadata parsing for multi-dependency PRs, so the durable fix is just the SHA bump:

dependabot/fetch-metadata 21025c705c08248db411dc16f3619e6b5f9ea21a (v2.5.0) → 25dd0e34f4fe68f24cc83900b1fe3fe149efef98 (v3.1.0)

No inline-Python changes needed. v3 also requires Node.js 24 as the Actions runtime, clearing the Node.js-20 deprecation warning the v2 line was emitting on every run.

Verification gate (per don't-propagate-unverified-fixes rule):

  1. ✅ Land this fix on main
  2. @dependabot recreate PR #59
  3. Confirm the recreated PR's CHANGELOG entry reads correctly
  4. ONLY THEN consider cascading the broader Dependabot-PR-hygiene work + the doubled-prefix fix from #57 to cmeans/pypi-winnow-downloads

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

This was referenced

May 15, 2026

This was referenced

May 15, 2026

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})