updates.pin does not respect more specific targetting #3693
Description
Situation
I have a project that uses play 2.8.X and scalikejdbc 3.X. I want to set up my pins so that I will not receive updates past play 2.8 and scalikejdbc 3 (ignoring the fact that these are EOL). I set up my pins like this:
updates.pin = [
{ groupId = "com.typesafe.play", version = "2.8" },
{ groupId = "org.scalikejdbc", artifactId = "scalikejdbc-play-initializer", version = "2.8.0-scalikejdbc-3." },
{ groupId = "org.scalikejdbc", version = "3" }
]
I assumed that this specific targetting of the scalikejdbc-play-initializer would stop it from trying to update it to version 3, but I was incorrect:
new version: org.scalikejdbc:(scalikejdbc-play-initializer, scalikejdbc-play-initializer_2.13) : 2.8.0-scalikejdbc-3.5 -> 3.0.1-scalikejdbc-4.3
Code
Having dug into the code, I believe I have discovered this is intended behavior. It allows through updates if any of our patterns, which are actually our list of updates.pin in this context, allow the new version in.
This feels like surprising behavior to me, since the above pinned updates pretty explicitly target the play initializer both with a more specific artifactId, and by being earlier in the list, which gives precedence in the context of pullRequests.grouping
Proposed Solution
It would make sense to me that the first pin found that matches a particular artifact would be the one to constrain the version number, and the .filter in byGroupId.filter(_.artifactId.forall(_ === update.artifactId.name)) could be replaced with a .find.
I found no other issues discussing this behavior, so it's totally possible that it has already been discussed and this is very intentional. If so, I'd appreciate the link to such a discussion if possible.