Dependabot-core: Split pull requests for different base versions
I am working within a Lerna monorepo using a yarn workspace and dependabot is great for keeping our dependencies up to date. There are some situations where I have to manually change a PR and it would be great if dependabot handled these differently.
We have 3 packages that all use the same dependency (let's use webpack as an example), but for some reason we cannot upgrade through a breaking change on package A. So the current state of our dependencies is
- A uses webpack 3.12.0
- B uses webpack 4.37.0
- C uses webpack 4.37.0
When a new version is released dependabot creates a commit and a PR for build(deps-dev): bump webpack from 3.12.0 to 4.38.0 that updates all 3 packages to use the latest version. Due to the known issue in package A, this breaks and our CI fails as expected. I then manually alter this commit to only perform the update in package B and C, leaving A on the older version.
It would be nice if dependabot could in some way split these updates up to make it more obvious what's breaking. Ideally they could be two separate PRs, one for 3.12.0 to 4.38.0 and one for 4.37.0 to 4.38.0. If that isn't possible then perhaps there would still be some value to having them as 2 separate commits within the PR.
LankyLou
All 4 comments
Thanks for the feedback @LankyLou.
Lerna makes things a bunch trickier for Dependabot, but we have a plan to help here. What we'd like to do is make it possible to specify the projects singularly or grouped together (for no grouped together is the only option).
Unfortunately we don't have much resource to work on new features as we work to scale Dependabot across GitHub, but we'll come back to it when we can.
greysteil
on 2 Aug 2019
Thanks @greysteil it works great as it is, this could just make things easier for a handful of our dependencies
LankyLou
on 2 Aug 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 23 Oct 2019
Was in the process of writing a new issue, then found this one which is a perfect match. Here's my use-case:
Hello!
I've got a monorepo using Lerna and Yarn Workspaces and part of that are two packages in particular. One of the packages depends on Selenium v3 and the other package depends on Selenium v4.
Currently, when a new v4 version is released, Dependabot updates (for example) 4.0.0 to 4.0.1 (good), but also updates 3.0.0 to 4.0.1 (bad).
I could write @dependabot ignore this major version and v3 won't be updated to v4 anymore... but v4 won't be updated at all.
So I'd like to request something like: @dependabot ignore this major version for packages/my-package-v3.
StephanBijzitter
on 23 Dec 2019
Related issues
christoferolaison
路
3Comments
rafaelrocha-hotmart
路
4Comments
rebelagentm
路
3Comments
ZebraFlesh
路
3Comments
bennycode
路
3Comments
Most helpful comment
Thanks for the feedback @LankyLou.
Lerna makes things a bunch trickier for Dependabot, but we have a plan to help here. What we'd like to do is make it possible to specify the projects singularly or grouped together (for no grouped together is the only option).
Unfortunately we don't have much resource to work on new features as we work to scale Dependabot across GitHub, but we'll come back to it when we can.