Menu
I have a directory /experiments in my repo which contains - surprise! - experiments. Those usually come with their own package.json which includes dependencies that were up to date at the time I made the experiment but might be outdated by now. I have no intent to keep them up to date as the experiments are just proofs of concepts - concepts I might want to use later in the project but I would then implement anew in the main project.
Unfortunately Dependapot sends me a lot of PRs that are about those dependencies in /experiments. Many of them require manual efforts on my end. So I would like to tell Dependabot to not send any notifications or create PRs for everything that is in the /experiments directory (but keep creating PRs for dependencies in the main project).
I didn't really find much docs about how to configure Dependabot on GitHub, but I came up with this:
/.github/dependabot.yml:
version: 2
updates:
# Ignore experiments:
- package-ecosystem: "npm"
directory: "/experiments"
schedule:
interval: "daily"
ignore:
- dependency-name: "*"
It doesn't seem to work though. Today I received another PR from Dependabot that bumped one of the dependencies in /experiments. It was automatically merged, so no effort on my end, but still a bit annoying.
How can I do this right?
334
Dependabot checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates.
Open you repo and go to Settings. Click on Code security and analysis in the Security subsection. There you will find dependabot settings with a Disable button for turning off the automated advisories.
Unless a specific time is provided, Dependabot version updates run at 5AM UTC daily, weekly, or monthly; however, this results in large usage spikes that slow down updates for everyone. Starting today, we no longer schedule unspecified updates at the same time.
If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.
In GitHub-native Dependabot, all configuration of version updates is done via the configuration file. This file is very similar to the dependabot-preview configuration file, but we’ve made a few changes and improvements that will be automatically included in the update pull request.
When GitHub identifies a vulnerable dependency or malware, we generate a Dependabot alert and display it on the Security tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
To enable Dependabot security updates, go to your repository’s Settings page, click the new Security & analysis tab on the left, and then click Enable next to Dependabot security updates. You can also check on this tab if they’re already enabled. Security updates are already enabled on most repositories.
When Dependabot edits a manifest file to update a version, it uses the following overall strategies: For apps, the version requirements are increased, for example: npm, pip and Composer. For libraries, the range of versions is widened, for example: Bundler and Cargo.
This doesn't seem possible as of February 2022: https://github.com/dependabot/dependabot-core/issues/4364
57
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
