0

We have the following dependabot.yml config:-

version: 2
updates:
  - package-ecosystem: "bundler"
    directory: "/app"
    target-branch: "develop"
    schedule:
      interval: "daily"

Around 60% of the PRs that dependabot opens however, are against our master branch. When I try changing the base branch to develop and re-running dependabot rebase or recreate, it flips the branch back to master.

I read that dependabot sometimes opens security PRs against master, but if that's the case - what's the point in the config file?

s89_
  • 1,533
  • 3
  • 25
  • 40

1 Answers1

0

Dependabot has 2 types of updates:

  • Package version updates are configured in dependabot.yml.
  • Security updates are configured via a repo's Security tab. Security PRs always go to main.

https://github.com/community/community/discussions/11710

Does this describe what you're seeing? I'm struggling too, been researching for 3 days - it seems to aggravate lots of people. I'll bet eventually security updates will be configurable in dependabot.yml - but I couldn't find a road map saying so :(

wcDogg
  • 413
  • 3
  • 6