NuGet packages being reported as updated despite not existing in the commit

[xt0rted]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

nuget

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

• Bump the analyzers group with 4 updates xt0rted/dotnet-startup-projects#134
• Bump the testing group with 5 updates xt0rted/dotnet-startup-projects#135
• https://github.com/xt0rted/dotnet-startup-projects/network/updates/762957402

Here's more in a different repo

• Bump the analyzers group with 3 updates xt0rted/dotnet-rimraf#268
• Bump the system-io group with 2 updates xt0rted/dotnet-rimraf#270
• Bump the testing group with 5 updates xt0rted/dotnet-rimraf#271

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

There should have been 4 packages updated in the first PR, and 5 in the second, which the title & body of the PR says, but there's only 1 package updated in each. The same is true in other repos, both public and private. It seems to be any nuget update group with more than 1 package update results in only 1 package being updated while the title & body have the correct information.

I have dependabot logs in all my repos that have a TON of errors about being run on a read-only file system but I'm not sure if that's related to this issue. Both things seem to only be happening for nuget packages though.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[azhuge233]

The same thing started to happen in my private repo since last week, which has group update configured. It only updates one dependency in each group.
For me, there are no errors about read-only file system though, it only has errors like

  proxy | 2023/12/28 16:22:02 [377] 400 https://dc.services.visualstudio.com:443/v2/track
  proxy | 2023/12/28 16:22:02 [377] Remote response: {"itemsReceived":1,"itemsAccepted":0,"errors":[{"index":0,"statusCode":400,"message":"103: Field 'time' on type 'Envelope' is older than the allowed min date. Expected: now - 172800000ms, Actual: now - 612414003ms"}]}

[xt0rted]

I just noticed a couple of the PRs we got at work this week are not only not updating all the packages the PR says it is, but they're also duplicating the packages in the PR description.

[jmfennell]

We are also experiencing this (in a private repo). For us, the PR description is correct (no duplicates), but it only actually bumps the version of the last dependency listed.

[samtrion]

Similar / same error pattern as #8576

[pdevito3]

also seeing this across multiple repos

[kmcc049]

This is a duplicate of #8576