Cooldown ignores existing newer version, and does not apply to additional dependencies

[jenstroeger]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pre-commit

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

This is in a private repo’s root .pre-commit-config.yaml file:

- repo: https://github.com/ambv/black
  rev: 25.1.0
  hooks:
  - id: black
    name: Format code
    args: [--config, pyproject.toml]
- repo: https://github.com/asottile/blacken-docs
  rev: 1.19.1
  hooks:
  - id: blacken-docs
    name: Format code in docstrings
    args: [--line-length, '120']
    additional_dependencies: [black==25.1.0]

Note here that

• the Black dependency is fairly old and several newer versions have been released (link); and
• the Black dependency and the additional_dependency for Blacken Docs match intentionally.

The latest Black version 26.5.1, however, was at the time of running just one day old and therefore quarantined by the cooldown. The most recent and non-quarantined version of Black would be 26.5.0.

dependabot.yml content

version: 2
updates:
- package-ecosystem: pre-commit
  directory: /
  schedule:
    interval: weekly
  cooldown:
    default-days: 3
  commit-message:
    prefix: chore
    prefix-development: chore
    include: scope
  target-branch: main
  groups:
    pre-commit:
      patterns: ['*']

Updated dependency

- repo: https://github.com/ambv/black
  rev: 25.1.0  # No update due to cooldown.
  hooks:
  - id: black
    name: Format code
    args: [--config, pyproject.toml]
- repo: https://github.com/asottile/blacken-docs
  rev: 1.20.0  # Updated to latest.
  hooks:
  - id: blacken-docs
    name: Format code in docstrings
    args: [--line-length, '120']
    additional_dependencies: [black==26.5.1]  # Updated to latest despite cooldown.

What you expected to see, versus what you actually saw

- repo: https://github.com/ambv/black
  rev: 26.5.0  # Update to the lasted version before cooldown.
  hooks:
  - id: black
    name: Format code
    args: [--config, pyproject.toml]
- repo: https://github.com/asottile/blacken-docs
  rev: 1.20.0
  hooks:
  - id: blacken-docs
    name: Format code in docstrings
    args: [--line-length, '120']
    additional_dependencies: [black==26.5.0]  # Same as above.

Native package manager behavior

When I run pre-commit autoupdate locally without Dependabot imposed cooldown:

- repo: https://github.com/ambv/black
  rev: 26.5.1  # Updated to latest, no cooldown.
  hooks:
  - id: black
    name: Format code
    args: [--config, pyproject.toml]
- repo: https://github.com/asottile/blacken-docs
  rev: 1.20.0
  hooks:
  - id: blacken-docs
    name: Format code in docstrings
    args: [--line-length, '120']
    additional_dependencies: [black==25.1.0]  # Ignored.

Images of the diff or a link to the PR, issue, or logs

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2688752..2ad566c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml

 - repo: https://github.com/ambv/black
   rev: 25.1.0
   hooks:
   - id: black
     name: Format code
     args: [--config, pyproject.toml]
 - repo: https://github.com/asottile/blacken-docs
-  rev: 1.19.1
+  rev: 1.20.0
   hooks:
   - id: blacken-docs
     name: Format code in docstrings
     args: [--line-length, '120']
-    additional_dependencies: [black==25.1.0]
+    additional_dependencies: [black==26.5.1]

Smallest manifest that reproduces the issue

Given the above dependabot.yaml and its cooldown of C = 3, and given a Python package Foo in versions 1.0.0. and 2.0.0 and 3.0.0 whose release dates are C days apart, the following .pre-commit-config.yaml should show the issues:

repos:

- repo: https://github.com/test/foo
  rev: 1.0.0  # Does not update, expect 2.0.0.
  hooks:
  - additional_dependencies: [foo==1.0.0]  # Updates to 3.0.0, but expect 2.0.0.

I hope this one would work 🤓

[AbhishekBhaskar]

@jenstroeger this issue should be fixed now. Please let me know if the issue still persists. Thanks!

[jenstroeger]

Great, thank you @AbhishekBhaskar, I’ll keep an eye out!

[jenstroeger]

@AbhishekBhaskar something odd happened: Dependabot closed PR jenstroeger/python-package-template#1190 with 9 updates to both hooks and additional deps; and replaced it with PR jenstroeger/python-package-template#1198 with 3 updates to 3 additional deps only — these 3 overlap with the closed PR, the remaining hook updates have disappeared.

[jenstroeger]

@AbhishekBhaskar same problem with PR jenstroeger/fullstack-webapp-template#20: it updated only additional deps, and ignored the main hook updates.