-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot ignores image references in COPY Dockerfile statement #5103
Comments
I would love to see a PR for this @kereis! I don't think it would be hard to add in multi-stage build support. We already fetch the dockerfiles in a project, so we just need to parse out the image names in The file updater might need some slight modifications to make sure it doesn't change the rest of the The docs have one edge case that we have to pay attention to, though:
The docs state "the |
Just wanted to say that I'd really like this feature too. I'm having this in my Dockerfile: COPY --from=composer:2.5.5 /usr/bin/composer /usr/local/bin/composer And I'd like Dependabot to automatically update it. |
As a workaround, just add the image in your FROM ldez/traefik-certs-dumper:v2.7.0 AS tcd
FROM composer:2.5.5 AS c
FROM anotherbase:1.2.3
COPY --from=tcd /some/file /some/location
COPY --from=c /usr/bin/composer /usr/local/bin/composer 💥 |
Package ecosystem
docker
Manifest location and content before the Dependabot update
dependabot.yml content
Updated dependency
FROM ldez/traefik-certs-dumper:v2.7.0
toFROM ldez/traefik-certs-dumper:v2.8.1
What you expected to see, versus what you actually saw
The updating logic work fine for Docker images that are referenced via
FROM
statement.For instance, Dependabot updates the
docker
Docker image in my Docker-flavored image andldez/traefik-certs-dumper
in my Alpine-flavored images.However, as you can specify Docker images in a
COPY --from
statement, I'd expect Dependabot to update the version of the used image as well. For example, if you take a look at my Docker-flavored images, you see thatldez/traefik-certs-dumper
is used for copying files from its image to my image viaCOPY --from
statement. But I have never received any pull request regarding updating that dependency. The logs down below also never mention the Docker image used in theCOPY --from
statement.Images of the diff or a link to the PR, issue, or logs
Dependabot logs for my Docker-flavored images
🕹 Bonus points: Smallest manifest that reproduces the issue
Check https://github.com/kereis/dependabot-docker-copy-from-bug if you want to try to reproduce this issue.
Other notes
I don't know if this is a real bug or if this is rather a feature request. I took a look at
dependabot-core/docker/lib/dependabot/docker/file_parser.rb
Line 37 in e8a6a4b
docker
updater only respects images referenced in aFROM
statement inside Dockerfiles. This would possibly affectdependabot-core/docker/lib/dependabot/docker/file_updater.rb
Line 10 in e8a6a4b
So it might not technically be a bug but rather a missing feature. But I created this issue as a bug because this is something I would have expected from Dependabot to work.
If it's the real issue, I might try to add support for
COPY
statements and create a pull request. But until then I'd like to wait for feedback. 😄The text was updated successfully, but these errors were encountered: