This is my dependabot config, is there any way to exclude major version updates and just have minor, patch and security updates? If so what would I need to change?
version: 1
update_configs:
- package_manager: 'javascript'
commit_message:
include_scope: true
prefix: 'chore'
default_reviewers:
- someUser
default_labels:
- 'dependencies'
directory: '/'
target_branch: 'develop'
update_schedule: 'live'
This is now possible although you'll need to update to Dependabot version 2. You can then do something like the following:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore for more information on this.
You can do something like this. We use this to ignore certain versions of certain dependencies.
- package-ecosystem: gomod
directory: "/"
schedule:
interval: daily
time: "04:00"
open-pull-requests-limit: 10
reviewers:
- xh3b4sd
ignore:
- dependency-name: k8s.io/*
versions:
- ">=0.19.0"
One problem that I currently try to figure out is how to actually resume updates automatically once they have been ignored. Right now it looks like you have to trigger them manually, which is quite some work when you have many repositories.
