Dependabot-core: PR's only for security updates

Created on 1 May 2020  路  3Comments  路  Source: dependabot/dependabot-core

Hey, kudos for the great work.
In the dependabot hosted version (https://app.dependabot.com) I'm able to select PR's on "Only security updates" it would be nice if we could have the same feature here.
Cheers

picture v1sion
👍6

All 3 comments

@v1sion it tricky to make this a straight forward option in core as you have to provide all the security advisories yourself when self-hosting dependabot-core. You could achieve the same by checking that the updated versions are fixing a SecurityAdvisory.

feelepxyz picture feelepxyz on 13 May 2020
👍1

@v1sion, I haven't tried this myself yet, but you could try setting allowed_updates, and setting update_type to "security". Like this: 

version: 1
update_configs:
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "daily"
    allowed_updates:
      - match:
          update_type: "security"

From https://dependabot.com/docs/config-file/#allowed_updates

nikolas picture nikolas on 19 May 2020
👍1

@nikolas I believe that only works with the github-hosted bot. I am working on something internally similar to what @feelepxyz mentioned, using https://github.com/rubysec/ruby-advisory-db and the github api, I pull the security vulnerabilities from the that repo, and massage the data to match what Dependabot::SecurityAdvisory expects. Then I pass those into the checker.

https://gist.github.com/BobbyMcWho/3ce09bde5abb674e61092efbe7390ffb

I haven't 100% fleshed this out yet, since I'm having some issues with getting rails updated appropriately when there is a vulnerability in only 1 of its core gems.

BobbyMcWho picture BobbyMcWho on 19 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Spomky picture Spomky  路  4Comments
AArnott picture AArnott  路  4Comments
cscherrer picture cscherrer  路  4Comments
jbreitbart picture jbreitbart  路  3Comments
byjrack picture byjrack  路  3Comments