Dependabot-core: Ignore dependencies via a config file?

+1 on ignoring and unignoring dependencies via inspectable, mutable repo state.

Hey Antón,

Thanks for getting in touch, and for the questions!

Is it possible to tell dependabot to ignore a package ahead of time?

Not right now, but we're planning to add that option in the next month or so. We're working on adding support for a config file which will make it easier to specify which dependencies you want to ignore, as well as adding an expanded show view to the Dependabot dashboard (which would display all your dependencies, and make it easy for you to specify a dependency you want to ignore from there, too). Previously the blocker on this is that there hasn't been an interface from which you could do it.

On setting an ignore after a PR has come in, if you commend @dependabot ignore this dependency then Dependabot won't create any more PRs for it unless you upgrade it yourself.

Is it possible to change the commit messages?

Yes! Dependabot commit messages aren't 100% configurable, but we try to accommodate everything users want. As such, Dependabot:

• automatically detects whether you're using semantic commits
• automatically detects whether you want scopes with them
• automatically detects what capitalisation you want with them
• can tell the difference between an ESLint convention and an Angular one

It doesn't always get it right, so there's an override: If you edit the commits message of the last Dependabot commit (e.g., by using GitHub's squash and merge option when merging a PR) then Dependabot will pick up that you want to switch convention and do so.

If you run into any trouble on commit messages just ping me and I'll figure out a way to incorporate what you need in our logic. At some point we may need to go fully configurable, but I'd like Dependabot to do as good a job as possible of autodetecting first.

Thanks @greysteil for your answer!
Can't wait to see this implemented in the next few weeks 😊

Yes! Dependabot commit messages aren't 100% configurable, but we try to accommodate everything users want.

It will be swell if I could have a property in the configuration file similar to:

{
  "commitMessage": "Chore: Update ${dependency} to v${version}"
}

What I'd like to have is a configuration file that I can drop in any of my projects and avoid having to set up anything via the user interface or commit messages. Is this in your roadmap?

What I'd like to have is a configuration file that I can drop in any of my projects and avoid having to set up anything via the user interface or commit messages. Is this in your roadmap?

Yep! Going to be the next big thing we ship - working on it right now. 🙂

On the commit message, that's pretty close to what you'll get if Dependabot detects you're using capitalised Angular prefixes without a scope. I think right now it will be Chore: Bump {dep-name} from {old-v} to {new-v}. Once we have config files that make it easier to write a store settings like fully custom commit messages I think it will make sense for Dependabot to support them, though.

Awesome!

I kept checking this issue for updates but I was looking in the wrong place :D Config files are supported with a beta now: https://github.com/dependabot/feedback/issues/70

Indeed! Ignores aren’t in the config file yet but I’m going to close this to prevent confusion - ignore support in config files is coming soon!