Dependency is not ignored

Hello,

Under .github/dependabot.yml I have instructions to ignore all 5.x versions of dependencies starting with “Microsoft.Extensions.”

version: 2
updates:
  - package-ecosystem: nuget
    directory: "/"
    ignore:
      - dependency-name: "Microsoft.Extensions.*"
        versions: ["5.x"]

Despite this Dependabot keeps opening PRs like:

# Bump Microsoft.Extensions.Configuration.UserSecrets from 3.1.3 to 5.0.0

Anyone know what I’m doing wrong?

1 Like

Everything looks fine. I wonder if the wildcard might be the problem, i.e. if it really matches any characters including the dot. It might be worth trying:

- dependency-name: "Microsoft.Extensions.*.*"

it’s a bit of a long shot, but pattern matching is known to behave slightly different across different tools, and even Git’s WildMatch algorithm is configured to behave differently in different context.

Other than this, everything seems fine in your settings.

You could always try using update-types: instead of versions:, to prevent any MAJOR version bump update, which would probably achieve the same goal.

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#ignore