Skip to content

fix: remove $ anchor from updateFragment regex to handle pip directory suffixes#698

Merged
truggeri merged 2 commits intodependabot:mainfrom
tv2:fix/update-fragment-regex-anchor
Apr 9, 2026
Merged

fix: remove $ anchor from updateFragment regex to handle pip directory suffixes#698
truggeri merged 2 commits intodependabot:mainfrom
tv2:fix/update-fragment-regex-anchor

Conversation

@devantler
Copy link
Copy Markdown
Contributor

@devantler devantler commented Apr 9, 2026
edited
Loading

Summary

The updateFragment regex on line 71 of src/dependabot/update_metadata.ts uses a $ end-of-line anchor:

const updateFragment = commitMessage.match(/^Update .* requirement from \S*? ?(?<from>v?\d\S*) to \S*? ?(?<to>v?\d\S*)$/m)

This fails for pip ecosystem commit messages that end with a directory suffix like in /app:

Update boto3 requirement from <=1.42.76 to <=1.42.86 in /app
                                                       ^^^^^^^ breaks the $ anchor

Because the regex doesn't match, prev is empty, and calculateUpdateType('', '1.42.86') returns an empty string — causing update-type to be null in the action output.

Fix

Remove the $ anchor from updateFragment. This is safe because:

  • The ^ anchor + /m flag ensures we match from the start of a line
  • \S* already stops at whitespace, so capture groups won't over-match past the version
  • The bumpFragment regex (which ends with \.$) is unaffected — "Bumps" messages always end with a period

Test

Added a test case reproducing the exact pip requirement format with in /app suffix.

Fixes #339

@devantler
fix: remove $ anchor from updateFragment regex to handle pip director…
33c2349 
…y suffixes

The updateFragment regex used a $ end-of-line anchor that prevented matching
pip ecosystem commit messages ending with 'in /dir' (e.g., 'Update boto3
requirement from <=1.42.76 to <=1.42.86 in /app'). This caused update-type
to be null and previous-version to be empty for all pip requirement updates.

Removing the $ anchor is safe because \S* already stops at whitespace,
preventing over-matching. The bumpFragment regex (which ends with \.$) is
unaffected.

Fixes dependabot#339

Co-authored-by: Copilot <[email protected]>
@devantler devantler marked this pull request as ready for review April 9, 2026 08:41
@devantler devantler requested a review from a team as a code owner April 9, 2026 08:41
@devantler
Copy link
Copy Markdown
Contributor Author

devantler commented Apr 9, 2026

E2E Verification — dry-run against a real pip PR

Tested using the built-in dry-run CLI against an open Dependabot PR with the exact commit message format that triggers this bug:

Update boto3 requirement from <=1.42.76 to <=1.42.86 in /app

Before fix (upstream code)

{
  "dependencyName": "boto3",
  "updateType": "",
  "prevVersion": "",
  "newVersion": "1.42.86",
  "directory": "/app",
  "packageEcosystem": "pip"
}

updateType is empty and prevVersion is missing — the $ anchor prevents the regex from matching the in /app suffix.

After fix (this PR)

{
  "dependencyName": "boto3",
  "updateType": "version-update:semver-patch",
  "prevVersion": "1.42.76",
  "newVersion": "1.42.86",
  "directory": "/app",
  "packageEcosystem": "pip"
}

Both updateType and prevVersion are now correctly resolved. Downstream workflows that gate on update-type (e.g., auto-approving patch bumps) will now work for pip requirement updates in subdirectories.

@truggeri truggeri requested a review from Copilot April 9, 2026 16:49
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes parse() failing to extract previous/new versions from pip “Update … requirement …” commit messages that include a trailing directory suffix (e.g. in /app), which previously caused update-type to be empty/null.

Changes:

  • Relax updateFragment matching by removing the end-of-line $ anchor so pip commit messages with in /<dir> still match.
  • Add a Jest regression test covering the pip directory suffix format.
  • Regenerate the bundled dist/index.js to include the source change.
Show a summary per file
File Description
src/dependabot/update_metadata.ts Removes $ from updateFragment regex so pip commit messages with directory suffixes are parsed correctly.
src/dependabot/update_metadata.test.ts Adds a regression test for pip “Update … requirement … in /app” format to ensure updateType, versions, and directory are populated.
dist/index.js Updates the built action bundle to reflect the regex change.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/3 changed files
  • Comments generated: 0

truggeri
truggeri approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@truggeri truggeri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change makes sense to me. Having the multiline flag means we should be okay here without the end of line.

@truggeri truggeri merged commit 533cc22 into dependabot:main Apr 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@truggeri truggeri truggeri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fetch Metadata action returns null update-type output for pull requests

3 participants

@devantler @truggeri