dosubot[bot] commented on PR #40938: URL: https://github.com/apache/superset/pull/40938#issuecomment-4673807912
<!-- Answer --> This is indeed weird — a PR titled "bump dompurify from 3.4.9 to 3.4.8" looks like a downgrade on the surface. I looked into the Dependabot configuration and couldn't find a specific setting that would prevent this, but here's what's likely happening: This is a **known Dependabot quirk**, not a config issue on your end. It typically occurs when a package publishes a new version (e.g., `3.4.8`) with a *newer* publish date but a *lower* semver number — for example, if `3.4.9` was yanked/unpublished and then `3.4.8` was published as a patch release on a different branch, or if the maintainer published an out-of-order tag. Dependabot generates the title based on the literal version strings in the lockfile (`from` → `to`), so if it's resolving to a version with a lower number, that's what shows up in the title. Looking at the [DOMPurify compare view](https://github.com/cure53/DOMPurify/compare/3.4.9...3.4.8) linked in the PR, it seems like the upstream package may have done something unusual with their versioning. **Unfortunately, there's no Dependabot config option to fix misleading titles.** The `versioning-strategy: increase` setting you already use [[1]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/.github/dependabot.yml) controls how version *constraints* in package files are updated, but it doesn't affect how PR titles are generated. Your options are: 1. **Ignore it** — these are cosmetic title issues; the actual dependency resolution is still correct 2. **Use `@dependabot ignore this dependency`** on packages with erratic versioning 3. **Report it to GitHub** — this is arguably a Dependabot bug where the title should indicate the context better when the target version number is lower than the current one If you keep seeing this across multiple unrelated packages, it might be worth opening an issue with GitHub's Dependabot team. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=reply-with-mention&utm_term=apache%2Fsuperset).* --- Docs are dead. Just use [Dosu](https://dosu.dev?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-tagline&utm_term=apache%2Fsuperset). [](https://app.dosu.dev/response-feedback?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-feedback&utm_term=apache%2Fsuperset&message_id=eb83935c-f8cf-4fed-ae91-8c0cff6f6db7) [](https://github.dosu.com/apache/superset?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-ask-repo&utm_term=apache%2Fsuperset) [](https://app.dosu.dev/signup?referrer=openSource&source=github-footer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-share-team&utm_term=apache%2Fsuperset) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
