Dependabot task stalls for >1 hour and is canceled by Azure Pipelines

[abhishekgoenka]

Categorization

• This is not a permissions issue (Seek help at 403 error when Dependabot tries to create a pull request #1245)

• This is an issue specific to Azure DevOps or this repository and does not belong in dependabot-core.
  Specific issues for dependabot are solved faster in the core repository. For example, why a package version is skipped.
  Trying out this behaviour in the GitHub Hosted version can help you pinpoint where it lies.

• I have linked a public reproduction of the specific issue or none is required because the issue is not specific to me.
  Please note that you can create a public organization/project and repository to show the issue. This tends to accelerate resolution.

Repository

No response

Steps to reproduce

The Dependabot Azure DevOps task (dependabot@2) always runs for more than 60 minutes without completing pull request creation.
When this happens, Azure Pipelines automatically cancels the job, resulting in no pull request being created, even though Dependabot logs indicate that it reached the “Creating a pull request” stage.
This makes Dependabot unreliable for repositories with large dependency graphs (e.g., Angular + Kendo + React + private npm registries).

Environment

• Azure DevOps Services
• Microsoft-hosted agent
• ubuntu-latest
• Dependabot task version: 2.66.0
• Repo type: Azure Repos (Git)
• Package ecosystem: npm
• Private registry: JFrog Artifactory (npm proxy)
• Pipeline timeout: default (60 minutes)

Expected behavior

Dependabot should:

• Complete dependency processing
• Create a branch
• Create a pull request
• Exit cleanly within a reasonable time or fail fast with a clear error

Actual Behavior

• Task runs for > 60 minutes
• Azure Pipelines cancels the job automatically
• Logs show:

Creating a pull request for 'kendo'
##[error]The operation was canceled.

• Plain TextCreating a pull request for 'kendo'##[error]The operation was canceled.Show more lines
• No PR is created in Azure Repos
• No actionable error is reported by the task itself

Logs and screenshots

dependabot.yml

version: 2

registries:
  artifactory-npm:
    type: npm-registry
    url: https://curationuhg.jfrog.io/artifactory/api/npm/glb-npm-npm-remote-rem/
    token: ${{ jfrogauthtoken }}

updates:
  - package-ecosystem: 'npm'
    registries:
      - artifactory-npm
    directory: '/ClientApp/'
    schedule:
      interval: 'weekly'
    open-pull-requests-limit: 5
    groups:
      angular:
        patterns:
          - "@angular/*"
      kendo:
        patterns:
          - "@progress/*"

Azure-Pipeline.yml

trigger: none

schedules:
  - cron: '0 0 * * 0' # weekly on sunday at midnight UTC
    displayName: Weekly Dependabot Run
    branches:
      include:
        - develop
    always: true
    batch: true

    
variables:
  - group: jfrogartifactory_authtoken

pool:
  vmImage: "ubuntu-latest"  # requires macos or ubuntu (windows is not supported)

steps:
   # Create global .npmrc for JFrog
  - task: PowerShell@2
    displayName: 'Create .npmrc for JFrog registry'
    inputs:
      targetType: 'inline'
      script: |
        $npmrcPath = "$(System.DefaultWorkingDirectory)/.npmrc"
        Set-Content -Path $npmrcPath -Value "registry=https://curationuhg.jfrog.io/artifactory/api/npm/glb-npm-npm-remote-rem/"
        Add-Content -Path $npmrcPath -Value "//curationuhg.jfrog.io/artifactory/api/npm/glb-npm-npm-remote-rem/:_authToken=$(jfrogauthtoken)"
        Add-Content -Path $npmrcPath -Value "always-auth=true"
  - task: dependabot@2
    inputs:
      azureDevOpsAccessToken: $(DEPENDABOT_PAT)
      

Extension Host

Azure DevOps

Extension Version

2.66.0

Server Region

No response

Server Version

No response

Additional context

[sailro]

I'm hitting the same exact issue,