Menu
I'm using GitHub dependabot.yml, version 2.
version: 2
updates:
# Nuget Packages
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "monthly"
I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1
version: 1
update_configs:
- package_manager: "dotnet:nuget"
directory: "/"
update_schedule: "monthly"
allowed_updates:
- match:
update_type: "security"
Let me know if you had the same issue and how you resolved it.
Thanks
651
Dependabot security updates make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it.
Fixing vulnerable dependenciesIf you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.
There is also Snyk, which supports a vast number of languages and build tools, yet it's a paid tool for non-OSS projects. And, finally, there is Dependabot, recently acquired by Github and available free-of-charge once you host your repos on Github.
Unless a specific time is provided, Dependabot version updates run at 5AM UTC daily, weekly, or monthly; however, this results in large usage spikes that slow down updates for everyone.
According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:
open-pull-requests-limit: 0
This means it will only create security updates.
55
Yeah, I was having the same problem, then I found out something like this github community thread.
I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:
You’re using unsupported features This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.
It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.
Let me know if that helps.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
