Invalid minor bump in non-main branch when only paths are allows

[abelsromero]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Gradle

Package manager version

7.6

Language version

Java

Manifest location and content before the Dependabot update

It's a public repo, here are the most recent invalid PRs opened with all details:

• (2.0.x): Bump org.springframework.boot from 3.0.6 to 3.1.1 spring-cloud/spring-cloud-app-broker#797
• (2.0.x): Bump org.springframework.boot from 3.0.8 to 3.1.2 spring-cloud/spring-cloud-app-broker#818

dependabot.yml content

We configure multiple branches in the depedabot.yml from the main branch.

https://github.com/spring-cloud/spring-cloud-app-broker/blob/d9535220afc5e07af61ff5237033d42d8efb9cd1/.github/dependabot.yml#L1

Updated dependency

We see minor bumps when these should not me allowed.

    ignore:
      - dependency-name: "org.springframework.boot:*"
        update-types:
          - "version-update:semver-major"
          - "version-update:semver-minor"
      - dependency-name: "spring-cloud-starter-op

What you expected to see, versus what you actually saw

In the case of the spring-cloud/spring-cloud-app-broker#818, a 3.0.9 exists that does not get a PR, instead we get 3.1.2 bump.

Native package manager behavior

Does not apply.

Images of the diff or a link to the PR, issue, or logs

Here are the most recent invalid PRs opened:

• (2.0.x): Bump org.springframework.boot from 3.0.6 to 3.1.1 spring-cloud/spring-cloud-app-broker#797
• (2.0.x): Bump org.springframework.boot from 3.0.8 to 3.1.2 spring-cloud/spring-cloud-app-broker#818

Smallest manifest that reproduces the issue

Truth be told, we have similar policies in other repos and we've only seen a repeated error in this repo/branch.