Fix group PR closure when dependencies remain outdated but no new versions available

[Copilot]

What are you trying to accomplish?

Dependabot incorrectly closes group PRs during scheduled refresh when no new dependency versions are available, even when the PR's proposed updates are still needed. This creates a close/recreate cycle on each interval.

The bug is in group_update_refreshing.rb:36-40 where empty updated_dependencies unconditionally triggers PR closure. This conflates two distinct scenarios:

1. Dependencies are outdated, PR still needed, but no new versions available (should keep PR open)
2. Dependencies were updated externally to PR target version (should close PR)

Anything you want to highlight for special attention from reviewers?

Core logic change:

# Before: Always close on empty updated_dependencies
if dependency_change.updated_dependencies.any?
  upsert_pull_request(dependency_change, group)
else
  close_pull_request(reason: :update_no_longer_possible, group: group)
end

# After: Check if PR is still valid
if dependency_change.updated_dependencies.any?
  upsert_pull_request(dependency_change, group)
elsif pr_exists_and_is_up_to_date?(dependency_change, group)
  # Main branch still outdated, keep PR open
  service.update_pull_request(dependency_change, dependency_snapshot.base_commit_sha)
else
  # Dependencies were updated externally or removed
  close_pull_request(reason: :update_no_longer_possible, group: group)
end

Implementation:

• pr_exists_and_is_up_to_date? iterates PR dependencies and compares current_version vs pr_target_version
• Returns true when all dependencies remain below PR target (still outdated)
• Returns false when any dependency matches/exceeds PR target (already done) or is missing
• Split into helper methods to satisfy Rubocop complexity limits

String comparison is used for versions to match PR data format, consistent with dependency_change_builder.rb:84.

How will you know you've accomplished your goal?

Existing test "when the dependencies have been since been updated by someone else" validates scenario #2 (external update → close PR).

Scenario #1 (still outdated → keep PR) requires integration testing with actual refresh cycles, which needs Docker environment not available in current CI setup.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Dependabot closes PR if not merged before next interval triggers</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

maven

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "daily"
      time: "09:51"
      timezone: "Europe/Oslo"
    groups:
      patch-and-minor:
        update-types:
          - "patch"
          - "minor"
      major:
        update-types:
          - "major"

Updated dependency

No response

What you expected to see, versus what you actually saw

With the current dependabot.yaml, we check the dependencies with a daily interval. If there is no current open dependabot PR in the repo, dependabot will create 2 PRs as specified in the groups config.

The next time the interval triggers again, we expect Dependabot to take no action (since dependencies has not changed in this case), or update the current PR if there is any changes.

But instead dependabot closes the PR with the following message: "Looks like these dependencies are no longer updatable, so this is no longer needed." This makes no sense to me, since nothing has changed.

Next interval again, since there is no existing PRs, dependabot creates 2 new PRs again. The cycle continues...

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Smallest manifest that reproduces the issue

Use the following yaml. Set the time firstly to a few minutes into the feature to trigger the PR creations. Then update the time again to a few mins into the future, and watch dependabot close the PRs. (Same approach used to show the issue in the image)

version: 2
updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "daily"
      time: "09:51"
      timezone: "Europe/Oslo"
    groups:
      patch-and-minor:
        update-types:
          - "patch"
          - "minor"
      major:
        update-types:
          - "major"
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Dependabot closes PR if not merged before next interval triggers #11439

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[AbhishekBhaskar]

Closing as issue is not reproducible.