Questions tagged [dependabot]

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

140 questions

vote

1 answer

How to configure dependabot to check multiple files?

The official recommendation from pip-tools for cross-compilation is: As the resulting requirements.txt can differ for each environment, users must execute pip-compile on each Python environment separately to generate a requirements.txt valid for…

python github dependabot

asked Mar 31 '23 at 13:37

dfrankow

20,191
41
152
214

vote

1 answer

Golang: what to do with google.golang.org/api obsolete dependencies on golang.org/x/net

Recently github.com Dependabot complained on some dependencies in my project which are vulnerable to DOS, have a "Broken or Risky Cryptographic Algorithm", and have a bug with "Uncontrolled Resource Consumption". Specifically, it is warning me about…

go github go-modules dependabot google-api-go-client

asked Mar 26 '23 at 14:31

GRbit

vote

0 answers

Dependabot version fails due to outdated flutter version

I am working on an open-source flutter project it uses Github's dependabot to manage its dependency versions. But recently we upgraded our flutter to the latest version Flutter: 3.7.3 and after that all of the Dependabot PRs are failing…

flutter flutter-dependencies dependabot

asked Mar 16 '23 at 03:40

Siddhesh B. Kukade

vote

1 answer

Github Dependabot recommending Gemfile.lock PLATFORMS change from ruby to x86_64-linux. Nokogiri 1.13.1 -> 1.13.9

# Gemfile.lock - nokogiri (1.13.1) - mini_portile2 (~> 2.7.0) + nokogiri (1.13.9-x86_64-linux) ... PLATFORMS - ruby + x86_64-linux Hello! Dependabot is recommending a gem bump Nokogiri 1.13.1 -> 1.13.9 with the above diff. However I cannot…

ruby-on-rails nokogiri gemfile dependabot gemfile.lock

asked Nov 18 '22 at 18:17

i0x539

4,763
2
20
28

vote

0 answers

How to setup email alerts for only critical and high vulnerabilities in dependabot

I'm trying to setup dependabot on a collab github project, is there a way to send out alerts via email to all people on the project if there is a critical/high vulnerability alert?

github dependabot

asked Sep 29 '22 at 08:37

Colin Jack

vote

1 answer

Dependabot not upgrading major versions of Maven SNAPSHOT dependencies

I've got dependabot setup, but even though a new minor version of a SNAPSHOT dependency is available, it's not being found. Take the following pom.xml:

maven github dependabot

asked Jul 14 '22 at 10:16

Jakg

vote

0 answers

How to fix transitive depedency generated by depedebot

We have enabled depedebot alert on our repository. But depedebot is not opening new PR for some of vulnebrites. For example : Below is one of alert I see ` The latest possible version that can be installed is 2.4.2 because of the following…

github github-actions dependabot

asked Jun 20 '22 at 12:55

DevDenim007

vote

0 answers

Dependabot is NOT creating pull requests for parent pom version

Dependabot is NOT creating pull requests for parent pom version. We are using maven 3.X as package manager. Our project uses a parent pom version as below xxxxx-base-java-webapp …

dependabot

asked Jun 16 '22 at 15:41

SriA

vote

1 answer

Can dependabot suggest patches for direct dependency?

Currently, dependabot suggests only the vulnerable package patch version(fix) but If I need to upgrade only the direct dependency which consumes the fix. Is that possible with dependabot? Is this feature part of the backlog?

node.js security github npm dependabot

asked Jun 16 '22 at 10:20

varunzxzx

vote

1 answer

Other ways of disabling default maven plugins as via phase none?

For some of my projects I don't need the default maven plugins, as for an example I use there no or other compilers. Disabling these plugins saves execution time and build output in this case. For the moment the only way to disable default maven…

maven dependabot

asked Mar 24 '22 at 13:17

Torsten Kleiber

vote

1 answer

Can't update private dependencies with dependabot

Context I have a library of private components stored in Bit.dev as my source of truth. To use them I must have a token and the registry information in my .npmrc file and with this token I can install all of my components anywhere I want. /**.npmrc…

github dependabot npm-registry

asked Mar 11 '22 at 19:43

Uriel Carneiro

vote

1 answer

How can I get dependabot to ignore a docker minor version

I'm trying to stay one minor version behind the latest python version, and I was hoping to use dependabot to help with that. I'm using the python slim docker image as my base image, and based on that plus the dependabot docs I've added the following…

docker dependabot

asked Mar 02 '22 at 14:36

ChickenWing

vote

1 answer

warning Lockfile has incorrect entry for "prismjs@1.24.0". Ignoring it

I have inherited an issue with prismjs whereby I have to remove/reinstall it every time I add/upgrade another package. I have a gocd pipeline validation that fails every time I try to use dependabot to address security vulnerabilities on my…

github package.json prismjs dependabot yarn-lock.json

asked Feb 03 '22 at 11:57

Grant Brennan

vote

1 answer

Dependabot Emails

I have been using dependabot for about a year and recently (past couple of months) I started getting some emails that never came before. There are two types of emails that I get and they seem to be somewhat regular: [GitHub] Your Dependabot alerts…

github dependabot

asked Jan 08 '22 at 16:20

ssc327

vote

1 answer

how to find a username with the github api

I've made an application that creates pull requests to update the dependencies in all of my org's repos when the repo "Alpha" gets a new tag. The process is triggered by our CI flow on Alpha. Other engineers here would like to upgrade this…

api rest graphql github-api dependabot

asked Oct 16 '21 at 00:15

Jed Godsey

Prev 1 2 3

…

9 10 Next