Dependabot-core: Provide a way to opt out of major version updates

Created on 13 Mar 2020  路  6Comments  路  Source: dependabot/dependabot-core

It would be good if you could specify in the config.yml that you want minor, patch and security updates but not major version change updates. Is this possible now or going to be possible?

picture sketchbuch
👍11

Most helpful comment

Being able to filter by version types would also allow for labelling them differently - opening up lots of possibilities with GitHub actions.

e.g.

updates:
  - package-ecosystem: npm
    update_types:
      - "semver:patch"
      - "semver:minor"
    labels:
      - "dependency"
      - "automerge"

  - package-ecosystem: npm
    update_types:
      - "semver:major"
    labels:
      - "dependency"

and then automerge any PRs with the automerge label.

picture BeeeQueue on 14 Aug 2020
👍4

All 6 comments

+1, but I would like to see both PR - major and minor updates, for example @types/node package. In some repositories we are still using node 12, and there is still @types/node@12 updates, but I see only PR for @types/node@13

JustFly1984 picture JustFly1984 on 13 Mar 2020
👍1

Assuming that you have a high test coverage, you can use auto-merging and opt out for major version upgrades:

  automerged_updates:
  - match:
      dependency_type: all
      update_type: semver:minor

Thus, you will still get the major upgrade PRs, but only minors and patches are auto-merged.

hendrikhalkow picture hendrikhalkow on 30 Mar 2020

+1 it would be good to in the config file either allow only patch/minor updates or ignore major versions. Is there something is being looked at in v2, since there is no update since March?

stefstelea picture stefstelea on 13 Jul 2020

This is similar to #2154 and #2219 as well. There's seems to be a demand for limiting the scope of a update to a version group or level. I would be interested in two different managers running on different schedules to handle patch/minor/major with different frequency. I can envision different strategies that approach with opposite frequencies, for example:

  1. check patch/minor versions less frequently because they're annoying, but check major more frequently because their rareness dictates their frequency anyway and can have important feature upgrades
  2. check patch/minor versions more frequently because they're uncontroversial and easy to merge (or auto-merge!), but check major less frequently because those PRs take more time to review and require a different kind of attention

update_type: "semver:patch" would be very helpful here.

brcarp picture brcarp on 11 Aug 2020

Being able to filter by version types would also allow for labelling them differently - opening up lots of possibilities with GitHub actions.

e.g.

updates:
  - package-ecosystem: npm
    update_types:
      - "semver:patch"
      - "semver:minor"
    labels:
      - "dependency"
      - "automerge"

  - package-ecosystem: npm
    update_types:
      - "semver:major"
    labels:
      - "dependency"

and then automerge any PRs with the automerge label.

BeeeQueue picture BeeeQueue on 14 Aug 2020
👍4

Duplicate of https://github.com/dependabot/dependabot-core/issues/2219 ?

skjnldsv picture skjnldsv on 8 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

qnighy picture qnighy  路  4Comments
tjwallace picture tjwallace  路  3Comments
jbreitbart picture jbreitbart  路  3Comments
rafaelrocha-hotmart picture rafaelrocha-hotmart  路  4Comments
cscherrer picture cscherrer  路  4Comments