Stack Overflow
Stack Overflow

Questions tagged [dependabot]

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

140 questions
3
votes
0 answers

Dependabot pip package-ecosystem with two separate schedules

I have Dependabot running daily for package-ecosystem: "pip". The problem I face is that the AWS boto library has a lot of updates and this is inflating my GitHub costs substantially. I should like to be able to run Dependabot on two separate…
user3535147
  • 73
  • 7
3
votes
0 answers

Dependabot not updating the gradle dependencies

I have an Android module called "dependencies" in my app. That's how the Gradle file looks like. dependencies { implementation 'androidx.core:core-ktx:1.7.0' implementation 'androidx.appcompat:appcompat:1.4.1' implementation…
MXC
  • 458
  • 1
  • 5
  • 21
3
votes
1 answer

Environment variables in dependabot.yml?

I'm trying to set up dependabot-standalone to run in a GitLab-CI pipeline in a private instance. It's an npm package and I'm using a private npm registry to fetch my dependencies from. According to the docs, I should set up my registry access data…
Antonio Pérez
  • 6,702
  • 4
  • 36
  • 61
3
votes
2 answers

Distinguishing between Dependabot security and version update pull requests?

We've had Dependabot enabled for security vulnerabilities on our repos for a while, but just set it up for versioning updates as well. My understanding is that the configuration options for the latter can affect the former as well, particularly when…
Johnny
  • 698
  • 8
  • 21
3
votes
2 answers

Change target branch of open dependabot PR?

Is it possible to change the target branch of a Pull Request that dependabot has opened? We have set up dependabot to usually target a specific branch, that is not main, but for security updates it will still target main (as discussed on this…
silent
  • 14,494
  • 4
  • 46
  • 86
3
votes
1 answer

How to use dependabot secrets in GitHub CI workflow

I have a NPM_AUTH_TOKEN secret which was originally stored in my actions secrets which doesn't seem to be accessible by dependabot when it automatically opens a PR. I have now copied this secret into Dependabot Secrets. Do I need to change anything…
Stretch0
  • 8,362
  • 13
  • 71
  • 133
3
votes
0 answers

Github dependabot : How to run analysis on the another branch

How do I run the dependabot against the feature branches? What i m trying to do is to find the vulnerabilities of the third-party packages(Not in the default branch) Here is my dependabot.yml file configuration which is stored in the .github…
shamon shamsudeen
  • 5,466
  • 17
  • 64
  • 129
3
votes
2 answers

Does dependabot test to make sure it does not break the build?

I just got a dependabot saying: Bump three from 0.120.1 to 0.125.0 But does it test that this will not break my repo? It would have to run both "build" and "test" in my package.json. And actually run all my demos to test that they have no errors in…
backspaces
  • 3,802
  • 6
  • 34
  • 58
3
votes
1 answer

How to automatically manage and update CDK version with Projen?

Context: Projen is an awesome tool to generate and manage (JSII-built) AWS CDK projects. Background: Previously I have managed CDK dependencies with RenovateBot's group:aws-cdkMonorepo preset. This will result in RenovateBot creating a single Github…
Ari P
  • 31
  • 4
3
votes
0 answers

Dependabot say Kramdown needs security update - but I dont have a gemfile in which the vunerability is supposed to be

I got a dependabot alert (CVE-2020-14001 Vulnerable versions: < 2.3.0 Patched version: 2.3.0) from github for one of my github pages (https://github.com/akademie-oeffentliches-gesundheitswesen/krisenmanagment). This alert is supposed to be in the…
user3604828
  • 31
  • 2
3
votes
0 answers

How can Dependabot automatically merge its pull requests based on Azure pipelines build status?

If Dependabot is enabled to automatically bump dependencies and create pull requests to 'master', how these pull requests can be automated so they are automatically approved and merged if Dependabot's branch passes Azure Devops build pipeline?
Rikai no hōhō
  • 737
  • 1
  • 7
  • 13
2
votes
1 answer

Enable GitHub Dependabot Updates for actions used in Composite actions

I have a GitHub repository which hosts GitHub Actions logic shared among other GitHub repositories. The file structure is: .github |_ .workflows |_ shared-workflow-1 |_ ... |_ shared-workflow-2 |_ ... |_ custom-action-1 |_…
cmousset
  • 625
  • 7
  • 21
2
votes
1 answer

GitHub Dependabot Doesn't Have Permissions To Publish to GHCR How Can I Give It Access

I have a repository that builds, tags, and publishes container images to GitHub's ghcr.io, however it fails to publish on dependabot actions and breaks all of my pipelines that are doing the build, tag, and release of each container image. Here is…
R. Barrett
  • 685
  • 11
  • 34
2
votes
1 answer

How can I automate the generation of dependabot configuration files for many repositories

I need to configure dependabot for a large number of repos (manually configuring will take days ). Some repos are "single language" such as typescript using a single package.json package-ecosystem: npm while other repositories are styled as "mono…
Avba
  • 14,822
  • 20
  • 92
  • 192
2
votes
2 answers

GitHub dependabot for a library inside a yml file

Introduction I'm currently working on a project that automatically containerizes a java project with JIB. GitHub project link. Problem The LIB library is implicitly used inside the YAML file, like this : - name: Build JIB container and publish…
ThrowsError
  • 1,169
  • 1
  • 11
  • 43
1 2
3
9 10