You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PSModule repositories drive releases from labels: when a pull request merges, its major / minor / patch (release-bump) label decides the repository's next version. Dependabot opens dependency-update pull requests across every repository.
Request
What happens
Dependabot automatically applies a semver-level label — major, minor, or patch — to each dependency-update pull request, matching the dependency's version jump. It does this because the repository already has labels with those exact names (used for release bumping), and Dependabot applies same-named semver labels when they exist. The release workflow then reads that label as this repository's release bump. A dependency's major or minor jump can therefore cut a major or minor release of the module even when the change to the consuming artifact is trivial or invisible.
An issue was raised upstream with Dependabot, but the behaviour persists, so the ecosystem needs to defend against it directly.
Reproduction steps
Use any PSModule repository whose release-bump labels are named major / minor / patch.
Let Dependabot open a github-actions update pull request.
No semver-based label is present on a Dependabot pull request.
A dependency-update pull request never sets the repository's release bump from a Dependabot-applied label.
The release bump for a dependency update is decided by the framework (a deterministic default), not by the upstream dependency's semver jump.
Note on label casing
The collision surfaces where release labels are lowercase (major / minor / patch, as in PSModule/GitHub). Repositories whose labels are capitalised (Major / Minor / Patch, as used on this repository's issues) do not match Dependabot's lowercase semver labels and are not affected. The fix must not rely on casing alone.
Acceptance criteria
Dependabot-authored pull requests carry no major / minor / patch (or update:*) label after processing.
A merged Dependabot pull request produces the intended, deterministic release bump regardless of the upstream jump.
Behaviour is consistent across repositories regardless of label casing.
No semver-based labelling of dependency pull requests remains in the framework or its templates.
Technical decisions
Root cause. Dependabot applies semver labels (major / minor / patch) to its pull requests when labels of those names exist in the repository (see Dependabot's labels behaviour). PSModule's release-bump labels use exactly those names, so the dependency's jump signal is mistaken by the release workflow for this repository's bump signal. Two different dimensions — the upstream dependency jump and this repository's release bump — share one label set.
Options considered:
Ignore semver labels on Dependabot-authored pull requests during version resolution. In Resolve-PSModuleVersion, when the pull request author is app/dependabot, disregard any major / minor / patch label and apply a deterministic default bump. Central, robust, and independent of label casing.
Strip semver labels from Dependabot pull requests on open. A small pull_request step (guarded on author app/dependabot) removes any major / minor / patch / update:* label so the pull request view is also clean.
Rename release-bump labels so Dependabot cannot match them. Fragile if it leans on casing; a rename touches every repository, the resolver, and the bootstrap — a large blast radius. Rejected as the sole fix.
Chosen approach. Option 1 as the authoritative fix — the resolver is the single source of truth for the bump — combined with Option 2 to keep the pull request presentation clean. The default bump for a dependency update is defined once by the framework.
Documentation reconciliation (MSXOrg). The written standard still prescribes a semver label scheme for update pull requests, which this change removes in practice. Reconcile:
Capabilities/dependency-updates/design.md and spec.md — remove the update-level semver-label scheme and the "labels must not collide with release labels" framing; replace with "dependency-update pull requests carry no semver-based label."
Out of scope. The upstream Dependabot behaviour itself (tracked upstream); this issue defends the ecosystem regardless of the upstream outcome.
Implementation plan
Framework
In Resolve-PSModuleVersion, ignore major / minor / patch labels when the pull request author is app/dependabot, and apply the deterministic default bump
Decide and document the default release bump for dependency-update pull requests
Add a step (or reusable snippet) that removes semver / update:* labels from Dependabot pull requests on open
Match major|minor|patch case-insensitively so the fix is casing-independent
Repositories and templates
Confirm Template-Action and Template-PSModule seed no semver labelling for Dependabot
Verify a representative repository (e.g. PSModule/GitHub) no longer shows semver labels on Dependabot pull requests
Tests
Add a test: a Dependabot-authored pull request carrying a major label resolves to the default bump
Add a test: semver labels are absent or stripped on Dependabot pull requests
Documentation (MSXOrg/docs)
Remove the update:* semver-label scheme from GitHub-Actions.md, dependency-updates/design.md, and dependency-updates/spec.md
State that dependency-update pull requests carry no semver-based labels
PSModule repositories drive releases from labels: when a pull request merges, its
major/minor/patch(release-bump) label decides the repository's next version. Dependabot opens dependency-update pull requests across every repository.Request
What happens
Dependabot automatically applies a semver-level label —
major,minor, orpatch— to each dependency-update pull request, matching the dependency's version jump. It does this because the repository already has labels with those exact names (used for release bumping), and Dependabot applies same-named semver labels when they exist. The release workflow then reads that label as this repository's release bump. A dependency's major or minor jump can therefore cut a major or minor release of the module even when the change to the consuming artifact is trivial or invisible.An issue was raised upstream with Dependabot, but the behaviour persists, so the ecosystem needs to defend against it directly.
Reproduction steps
major/minor/patch.github-actionsupdate pull request.patch— even though.github/dependabot.ymlonly requestsdependencies+github-actions, never a semver label.What is expected
Note on label casing
The collision surfaces where release labels are lowercase (
major/minor/patch, as inPSModule/GitHub). Repositories whose labels are capitalised (Major/Minor/Patch, as used on this repository's issues) do not match Dependabot's lowercase semver labels and are not affected. The fix must not rely on casing alone.Acceptance criteria
major/minor/patch(orupdate:*) label after processing.Technical decisions
Root cause. Dependabot applies semver labels (
major/minor/patch) to its pull requests when labels of those names exist in the repository (see Dependabot's labels behaviour). PSModule's release-bump labels use exactly those names, so the dependency's jump signal is mistaken by the release workflow for this repository's bump signal. Two different dimensions — the upstream dependency jump and this repository's release bump — share one label set.Options considered:
Resolve-PSModuleVersion, when the pull request author isapp/dependabot, disregard anymajor/minor/patchlabel and apply a deterministic default bump. Central, robust, and independent of label casing.pull_requeststep (guarded on authorapp/dependabot) removes anymajor/minor/patch/update:*label so the pull request view is also clean.Chosen approach. Option 1 as the authoritative fix — the resolver is the single source of truth for the bump — combined with Option 2 to keep the pull request presentation clean. The default bump for a dependency update is defined once by the framework.
Documentation reconciliation (MSXOrg). The written standard still prescribes a semver label scheme for update pull requests, which this change removes in practice. Reconcile:
Coding-Standards/GitHub-Actions.md— drop theupdate:major/update:minor/update:patchlabel recommendation.Capabilities/dependency-updates/design.mdandspec.md— remove the update-level semver-label scheme and the "labels must not collide with release labels" framing; replace with "dependency-update pull requests carry no semver-based label."Out of scope. The upstream Dependabot behaviour itself (tracked upstream); this issue defends the ecosystem regardless of the upstream outcome.
Implementation plan
Framework
Resolve-PSModuleVersion, ignoremajor/minor/patchlabels when the pull request author isapp/dependabot, and apply the deterministic default bumpupdate:*labels from Dependabot pull requests on openmajor|minor|patchcase-insensitively so the fix is casing-independentRepositories and templates
Template-ActionandTemplate-PSModuleseed no semver labelling for DependabotPSModule/GitHub) no longer shows semver labels on Dependabot pull requestsTests
majorlabel resolves to the default bumpDocumentation (MSXOrg/docs)
update:*semver-label scheme fromGitHub-Actions.md,dependency-updates/design.md, anddependency-updates/spec.md