Dependabot-core: Restrict changing settings, config variables, plan to Github admins
Hi 馃憢
We just had an incident where someone or something removed the default rate limit from a value to unlimited, in the last 3 days we got 1000+ PRs from dependabot. We don't know what or who did it. Can we at least for the moment, restrict access to these pages: settings, config variables, plan to Organization admins only please?
Thanks 馃挏
cabello
All 10 comments
Oh man, that sounds traumatic, sorry about that!
We're planning to make those pages admin only, but need a change from GitHub's side to do so (they don't currently expose to us whether a user is an org admin or not). We're working with them to get that done, and hope to do so in the next few weeks, but until then I can't make the change.
I'm going to keep this open until we can make the update.
greysteil
on 4 Apr 2019
Ah, we just realized this was a serious issue for us too, although 馃 nothing's happened yet. Thanks for spelling this out and for the response @greysteil -- eager to have some finer grained control here as well.
Congrats on the news, btw!
jywarren
on 28 May 2019
Also linking to https://github.com/dependabot/feedback/issues/193, which is distinct but related. 馃憤
jywarren
on 28 May 2019
I've added this to the list of snags I want to take up with GitHub now we're internal.
greysteil
on 29 May 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 23 Oct 2019
Has there been any movement on this? I see this has been marked as 'enhancement'. For what it's worth, we could use this feature as well. We'd like to setup dependabot for dev teams at our company (~200 developers), but we need to limit who has access to the master settings. We can't safely roll out dependabot organizationally until this is in place.
npomoAtWork
on 3 Dec 2019
@feelepxyz Do you have any insight on the status of this?
rebelagentm
on 3 Dec 2019
@feelepxyz bump
npomoAtWork
on 10 Dec 2019
@npomoAtWork sorry for the slow response. There hasn't been much movement on fixing this on the GH side meaning we would have to ask all Dependabot installs for more permissions which I'm reluctant to do. We're also going to move Dependabot Preview functionality within GH where we'll make this the default so leaning towards a no-fix on this in the current preview dashboard 馃槩
feelepxyz
on 11 Dec 2019
Closing this as the Dependabot.com dashboard is going away in favor of the Dependabot config file: https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates, which can be controlled and protected via PR policies.
infin8x
on 2 Jul 2020
Related issues
bennycode
路
3Comments
cscherrer
路
4Comments
greysteil
路
4Comments
ZebraFlesh
路
3Comments
qnighy
路
4Comments
Most helpful comment
Has there been any movement on this? I see this has been marked as 'enhancement'. For what it's worth, we could use this feature as well. We'd like to setup dependabot for dev teams at our company (~200 developers), but we need to limit who has access to the master settings. We can't safely roll out dependabot organizationally until this is in place.