2

Due to private packages, I am still using Dependabot v1. Below is my javascript (yarn) config.

version: 1
update_configs:
  - package_manager: 'javascript'
    directory: '/'
    update_schedule: 'daily'
    version_requirement_updates: increase_versions
    ignored_updates:
      - match:
          dependency_name: 'webpack-cli'
          version_requirement: '^3.3.12'

What I want?

I want to exclude/ignore webpack-cli 4.x. Whenever dependabot runs, webpack-cli updated to 4.x. It is incompatible with my app so i need at most v3.3.12. So, I told dependabot to ignore after ^3.3.12 but it still bumps and updates webpack-cli to v4.x

How can I make sure webpack-cli always stay at v3-series?

Expected

Dependabot ignore v4

Actual

It bumps my package.json and yarn.lock to v4.

mike
  • 1,233
  • 1
  • 15
  • 36
Dennis
  • 1,805
  • 3
  • 22
  • 41
  • 1
    Don't you want to *ignore* `>=4` rather than `^3.3.12`, then? – jonrsharpe Nov 16 '20 at 18:55
  • 1
    Oh! I thought giving `^3.3.12` will ignore after that. So, you mean if I exclude/ignore v4 i need to put that version there? Then I misread the documentation :(. Also does npm/yarn support `>=`? – Dennis Nov 16 '20 at 19:14
  • Well it will ignore versions above 3.3.12 but explicitly **not** including 4. That's what `^3.3.12` *means*. – jonrsharpe Nov 16 '20 at 19:16
  • Got it. So **major** version need to be provided in this section. – Dennis Nov 16 '20 at 19:17
  • You need to provide whatever you want to ignore. Use e.g. https://semver.npmjs.com/ to try out different values and see what matches. – jonrsharpe Nov 16 '20 at 19:18
  • Awesome tool here! Thanks! I will use it. (P.S.: You may write as an answer so i can accept) – Dennis Nov 16 '20 at 19:19

0 Answers0