0

I am trying to customize which dependencies are updated using the allow property of Dependabot's configuration YAML.

Research: allow

I see that the allow property is preventing update of the dependencies instead of allowing update. Also, an allow for one dependency is preventing update for all dependencies.

For example I added the allow property as below to allow for update of just one dependency poi-ooxml. I want to skip updates to all other dependencies.

  allow:
    - dependency-name: "org.apache.poi:poi-ooxml"

Result:

  • All dependency updates are skipped.

Log file:

2022-06-16T20:41:32.4554260Z Checking if org.apache.poi:poi 4.1.1 needs updating
2022-06-16T20:41:32.4554513Z Requirements to unlock own
2022-06-16T20:41:32.4554747Z Updating org.apache.poi:poi is not allowed
2022-06-16T20:41:32.4555148Z Checking if org.apache.poi:poi-ooxml 4.1.1 needs updating
2022-06-16T20:41:32.4555414Z Requirements to unlock own
2022-06-16T20:41:32.4555760Z Updating org.apache.poi:poi-ooxml is not allowed

Adding full yaml as requested

version: 2
updates:
- package-ecosystem: maven
  directory: "/xxx"
  target-branch: "xxx"
  open-pull-requests-limit: 10
  allow:
    - dependency-name: "org.apache.poi:poi-ooxml"
SriA
  • 11
  • 3
  • Please provide the full YAML plus the executed command with arguments. Because `allow` is not the only configuration that effects in not allowed updates. – hc_dev Jun 17 '22 at 17:00
  • Added full yaml to question as requested. – SriA Jun 20 '22 at 14:10

1 Answers1

0

The allow property of your configuration:

  allow:
    - dependency-name: "org.apache.poi:poi-ooxml"

Should lead to behavior as specified by the docs:

Use the allow option to customize which dependencies are updated. Dependabot checks for all allowed dependencies and then filters out any ignored dependencies or versions. So a dependency that is matched by both an allow and an ignore will be ignored. [..]. You can use the following options:

  • dependency-name - use to allow updates for dependencies with matching names, optionally using * to match zero or more characters. For Java dependencies, the format of the dependency-name attribute is: groupId:artifactId, for example: org.kohsuke:github-api.

The first dependency of group org.apache.poi is not allowed, because your allow specified only the artifact poi-ooxml.

The second dependency should be allowed if not specified in ignore.

The logs indicate that there must be an overriding ignore like explained in the docs:

Dependencies can be ignored either by adding them to ignore or by using the @dependabot ignore command on a pull request opened by Dependabot.

Thus the logs state "not allowed":

2022-06-16T20:41:32.4554747Z Updating org.apache.poi:poi is not allowed
[..]
2022-06-16T20:41:32.4555760Z Updating org.apache.poi:poi-ooxml is not allowed
hc_dev
  • 8,389
  • 1
  • 26
  • 38
  • I added the yaml to my question, my yaml seems correct as per your comments. What can I do to be able to update poi-ooxml. – SriA Jun 20 '22 at 14:11