Despite the v3.1.0 fix claiming to resolve update-type null for Python, Composer, and Terraform PRs, we are still seeing update-type: null with empty previous-version and new-version for a pip Dependabot PR targeting the aiohttp package.
fetch-metadata version
v3.1.0 — pinned to commit 25dd0e3
Metadata output
Outputting metadata for 1 updated dependency
outputs.dependency-names: aiohttp
outputs.dependency-type: direct:production
outputs.update-type: null
outputs.directory: /
outputs.package-ecosystem: pip
outputs.target-branch: main
outputs.previous-version: (empty)
outputs.new-version: (empty)
outputs.compatibility-score: 0
outputs.maintainer-changes: false
outputs.dependency-group: (empty)
outputs.alert-state: (empty)
outputs.ghsa-id: (empty)
outputs.cvss: 0
Expected behavior
update-type should be populated (e.g. version-update:semver-patch) and previous-version/new-version should contain the version strings from the Dependabot PR.
Actual behavior
update-type is null, previous-version and new-version are both empty. Because update-type cannot be derived without version strings, any workflow logic gating on update-type (e.g. auto-merge for patch/minor) is silently skipped.
Impact
Workflows that use update-type to conditionally enable auto-merge are broken for pip packages exhibiting this behavior, as the conditional step is skipped even for safe patch/minor updates.
Steps to reproduce
- Set up a repo with a
requirements.txt containing aiohttp
- Enable Dependabot version or security updates for pip
- Let Dependabot open a PR
- Run
fetch-metadata v3.1.0 on the PR and observe the outputs
Despite the v3.1.0 fix claiming to resolve
update-type null for Python, Composer, and Terraform PRs, we are still seeingupdate-type: nullwith emptyprevious-versionandnew-versionfor a pip Dependabot PR targeting theaiohttppackage.fetch-metadata version
v3.1.0— pinned to commit 25dd0e3Metadata output
Expected behavior
update-typeshould be populated (e.g.version-update:semver-patch) andprevious-version/new-versionshould contain the version strings from the Dependabot PR.Actual behavior
update-typeis null,previous-versionandnew-versionare both empty. Becauseupdate-typecannot be derived without version strings, any workflow logic gating onupdate-type(e.g. auto-merge for patch/minor) is silently skipped.Impact
Workflows that use
update-typeto conditionally enable auto-merge are broken for pip packages exhibiting this behavior, as the conditional step is skipped even for safe patch/minor updates.Steps to reproduce
requirements.txtcontainingaiohttpfetch-metadatav3.1.0 on the PR and observe the outputs