Stack Overflow
Stack Overflow

Questions tagged [dependabot]

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

140 questions
6
votes
2 answers

How to disable or ignore Dependabot pull requests?

We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure DevOps for builds). There is no clear hint in the…
Benjamin Abt
  • 1,730
  • 18
  • 33
6
votes
1 answer

Github API to manage access to Security Alerts?

After enabling the Dependabot Security Alerts you need to explicitly grant access to alerts in the Security & Analysis settings (https://github.com/[org]/[repository]/settings/security_analysis). By default collaborators don't see the Security…
pkt1975
  • 98
  • 4
6
votes
2 answers

Is dependabot.yml mandatory for GitHub Dependabot?

Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default…
Elina Akhmanova
  • 101
  • 1
  • 4
6
votes
0 answers

configure NPM version for dependabot

I'm using dependabot to update my NPM dependencies with the following dependabot.yml version: 2 updates: - package-ecosystem: npm directory: "/" schedule: interval: monthly rebase-strategy: auto But dependabot is using a different version…
Antonio Dragos
  • 1,973
  • 2
  • 29
  • 52
6
votes
1 answer

Is there a way to generate a badge for the Dependabot into GitHub?

I've migrated a private GitHub repository to use the new Dependabot (into GitHub) and now the Dependabot badge shows as it is inactive, on my README.md, but it's working fine. I'm looking for a way to fix the badge to reflect the real status.
Milton Castro
  • 1,557
  • 11
  • 14
6
votes
0 answers

To what end are we maintaining package-lock.json files that are free of security vulnerabilities? Why not just delete them or let them go stale?

package-lock.json stores a set of exact versions for all the dependencies and transitive dependencies that got installed when someone last ran npm update. You are encouraged to commit package-lock.json back to your repo. The only real consumer of…
interfect
  • 2,665
  • 1
  • 20
  • 35
6
votes
2 answers

How can I change my dependabot config to exclude major versions

This is my dependabot config, is there any way to exclude major version updates and just have minor, patch and security updates? If so what would I need to change? version: 1 update_configs: - package_manager: 'javascript' commit_message: …
riscos3
  • 1,617
  • 2
  • 11
  • 16
5
votes
1 answer

Ignore Dependabot notifications for 3rd party Repositories

Is it possible to watch a 3rd party repository on Github, but ignore any notification generated by dependabot? For example, I want to follow development in a repository like: https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation But…
Philip Pittle
  • 11,821
  • 8
  • 59
  • 123
5
votes
1 answer

Automatic merging of Dependabot generated Pull Request with codeowners file and branch protection rule?

I have created Workflow for GitHub Actions as described here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions name: Dependabot auto-approve …
pixel
  • 24,905
  • 36
  • 149
  • 251
5
votes
1 answer

dependabot: Error : .github#L1 No event triggers defined in `on`

I'm trying to setup dependabot on a Github repo. Here's my config file: version: 2 updates: - package-ecosystem: "pip" directory: "/" schedule: interval: "daily" open-pull-requests-limit: 10 I'm getting the following…
Jérôme
  • 13,328
  • 7
  • 56
  • 106
4
votes
0 answers

Dependabot issue - cannot update glob-parent to a non-vulnerable version

I've just started to use Dependabot and encountered an issue with one of its alerts. I was looking for an answer how to handle such vulnerabilities, but didn't fine any proper resource. What I can see that it is a dependency of my deps, so it…
jake-ferguson
  • 315
  • 3
  • 11
  • 32
4
votes
2 answers

What do production and development dependency groups mean in dependabot?

The dependabot docs say that you can indicate which dependency type to check per package manager. However, it is not clear how it tells between development and production packages. The other options are pretty straightforward (all, direct, and…
newdev
  • 109
  • 2
  • 9
4
votes
2 answers

CI Tests fail on Dependabot pull requests

I have a GitHub action that runs tests in the CI on every pull request that is opened on my repo. As part of the tests workflow, the job checkout several other repositories in the GitHub organization (all of them are private, same as my repo). Later…
Webmaestro1
  • 81
  • 4
4
votes
0 answers

How to configure the dependabot.yml for updating whenever a new python patch version for alpine is available on docker hub?

I'm using Docker for codebase and dependabot on GitHub. What I want Whenever there's a new patch version for python or new minor version of alpine for the python-alpine image on docker hub see https://hub.docker.com/_/python, I want dependabot to…
Kim Stacks
  • 10,202
  • 35
  • 151
  • 282
3
votes
1 answer

Exclude codeowners from dependabot PR

We use a codeowners file to automatically assign reviews to Pull Requests. We also have Dependabot creating PRs for major versions. We do not want to automatically add reviews to the PRs created by Dependabot. According to…
Andreas Olsson
  • 347
  • 4
  • 11
1
2
3
9 10