Dependabot-core: Support configuring allowed updates for security updates using config file
I have configured a dependabot.yml that should ignore devDependencies
version: 2
updates:
# Maintain dependencies for npm
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
allow:
- dependency-name: "*"
dependency-type: "production"
ignore:
- dependency-name: "*"
dependency-type: "development"
Despite this I am still getting PR's for devDependency warnings
What do I need to do to stop these from happening?
kyeotic
All 13 comments
Hi, that config file looks to be invalid: https://github.com/kyeotic/raviger/runs/1097204025
You cannot specify dependency-type in the ignore condition, but since you already have an allow rule set up to match only production dependency types, I think you can get rid of that ignore field entirely and it should work.
Lmk if that works 馃憤
jurre
on 11 Sep 2020
I added the ignore field after the allow failed to stop a PR yesterday. I will remove ignore again and give it another day I guess.
kyeotic
on 11 Sep 2020
It's happening again
with this config
version: 2
updates:
# Maintain dependencies for npm
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
allow:
- dependency-name: "*"
dependency-type: "production"
@jurre I realized you probably wouldn't get notified from an issue re-opening... so :bump:
kyeotic
on 19 Nov 2020
@feelepxyz do you have an idea what's going on here?
jurre
on 20 Nov 2020
@kyeotic pretty sure that's because it's a security update fixing a vulnerability in lodash: https://github.com/advisories/GHSA-p6mc-m468-83gw
You currently can't configure allowed updates for security updates using the config file. Currently only the following config file options are used for security updates:
assigneescommit-messageignorelabelsmilestonepull-request-branch-name.separatorrebase-strategyreviewersvendorversioning-strategy
You'd have to ignore the dependencies specifically as we don't support ignoring dependency-type yet.
feelepxyz
on 20 Nov 2020
@feelepxyz That's surprising. Is this explained in the docs anywhere?
I think wanting to ignore dependabot warnings for devDependencies is a pretty common request. I don't see why this separate and additional category of "security updates" is even in the equation. If I say I don't want devDependency warnings I mean I don't want _any warnings for any devDependencies_. Frankly, this behavior is _wrong_.
kyeotic
on 20 Nov 2020
I guess I'm just going to have to disable dependabot entirely.
kyeotic
on 20 Nov 2020
Good feedback and legitimate use-case! Will add this to our backlog to fix, we haven't done much to make both products configurable using the same config file but are looking at changing this.
I guess I'm just going to have to disable dependabot entirely.
You can also only disable security updates from the GitHub UI:
feelepxyz
on 20 Nov 2020
@kyeotic for findability, can you pls rename this issue to something like Dependabot *security* updates should accept a "production dependencies only" mode ?
Hope this lands someday.
ronjouch
on 27 Nov 2020
Also, @feelepxyz @jurre reading dependabot-security docs, it's not clear to me how yml-configurable this "security" product is. Before this issue I hadn't understood it was configurable, at all. Does dependabot-security read dependabot.yml? Will both dependabot and dependabot-security run? Since having a dependabot.yml is how you enable dependabot, how do I for example configure reviewers for my security alerts, but without enabling the full dependabot? Am I missing documentation?
ronjouch
on 27 Nov 2020
Also, @feelepxyz @jurre reading dependabot-security docs, it's not clear to me how yml-configurable this "security" product is. Before this issue I hadn't understood it was configurable, at all. Does dependabot-security read dependabot.yml? Will both dependabot and dependabot-security run? Since having a dependabot.yml is how you enable dependabot, how do I for example configure
reviewersfor my security alerts, but without enabling the full dependabot? Am I missing documentation?
Yeah it's currently very patchy but we have a plan to fix it! You currently can't configure security updates using the config file without also enabling version updates, if you do want to enable version updates the following config file options will also apply to security updates: https://github.com/dependabot/dependabot-core/issues/2521#issuecomment-731305885
feelepxyz
on 3 Dec 2020
@feelepxyz Sounds good, I will disable dependabot-security until thats fixed.
As a user, I have to say that this distinction is surprising and frustrating. I understand that they are internally considered two independent products, possibly developed by different teams, but they serve similar functions, have similar names, with similar operation and similar configuration so as a user I don't see them as independent, but as parts of a whole. I expect the difference in security and regular (?) to be a kind of alert, not a completely separate application with separate configuration. I would like to see them use a single configuration, possibly with a threshold or minimumAlertLevel for each kind.
kyeotic
on 3 Dec 2020
Related issues
qnighy
路
4Comments
kubawerlos
路
3Comments
christoferolaison
路
3Comments
LankyLou
路
4Comments
cscherrer
路
4Comments
Most helpful comment
@feelepxyz Sounds good, I will disable dependabot-security until thats fixed.
As a user, I have to say that this distinction is surprising and frustrating. I understand that they are internally considered two independent products, possibly developed by different teams, but they serve similar functions, have similar names, with similar operation and similar configuration so as a user I don't see them as independent, but as parts of a whole. I expect the difference in security and regular (?) to be a kind of alert, not a completely separate application with separate configuration. I would like to see them use a single configuration, possibly with a
thresholdorminimumAlertLevelfor each kind.