Currently, dependabot suggests only the vulnerable package patch version(fix) but If I need to upgrade only the direct dependency which consumes the fix.
- Is that possible with dependabot?
- Is this feature part of the backlog?
Asked
Active
Viewed 213 times
1 Answers
1
No, Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch.
Nikhil
- 11
- 2