Stack Overflow
Stack Overflow

Questions tagged [dependabot]

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

140 questions
0
votes
1 answer

Updating dependency graph always fails

I've set my maven.yml to update my projects dependency graph when it builds, but it always faisl with this error: Error: Response body: { "message": "Resource not accessible by integration", "documentation_url":…
kyleryan1291
  • 15
  • 8
0
votes
0 answers

Dependabot ignore and PR creation issue

I was working on integrating dependabot with my repo and all of a sudden , it stops creating a PR updater | 2023/07/31 14:19:11 INFO Finished job processing updater | 2023/07/31 14:19:11 INFO Results: updater |…
Arun Krish
  • 21
  • 1
0
votes
0 answers

Is there a way to disable dependabot from the YAML config?

Github has dependabot integrated into the repo I'm working on. I have a dependabot YAML (.yml) config file already that controls many aspects of how it runs. Is there an option that I can add to this file that will disable dependabot? I tried…
David Walz
  • 133
  • 5
0
votes
0 answers

GitHub Dependabot fake alert - how to ged rid of it?

My private repo has GitHub Dependabot alerts enabled. A few months ago, it detected XSS in jQuery, which has been updated to jquery-3.6.4.min.js which is not affected by this XSS. Dependabot was silent for a few months, and nowadays, I receive…
wojcieh
  • 312
  • 1
  • 8
0
votes
0 answers

What is the maximum time in Dependabot update and how to extend it?

Is there a way to modify the timeout? I do not want to compromise on the coverage of the version update check. For version update configuration, GitHub official documentation states the ways to cater for the timeout but these means are controlling…
BayOtter
  • 209
  • 2
  • 9
0
votes
1 answer

Does `@dependabot recreate` also rebase onto latest mainline?

I'm having trouble finding a definitive answer to this, so asking here: On GitHub projects that use Dependabot, will @dependabot recreate also rebase the branch onto latest mainline just like @dependabot rebase does? Or does it just simply recreate…
ecbrodie
  • 11,246
  • 21
  • 71
  • 120
0
votes
1 answer

Is there a CLI tool for keeping software dependencies up to date? (e.g. cli mode for renovate or dependabot)

How can I run renovate or dependabot via the CLI on a codebase to have it update the dependencies in the projects local files? I'm looking to use one of these tools to run locally and pointed at a project on the file system. When finished, I expect…
Scott G
  • 637
  • 6
  • 10
0
votes
1 answer

Is it possible to ask dependabot to ignore updates that requires a certain .NET version?

My team has started using dependabot to update our Nuget packages on a regular basis. Currently we have .NET 5.0, and a lot of the PRs generated by dependabot includes major updates which is dependant on .NET 6.0. Per now I have added "ignore" in…
Ank
  • 71
  • 6
0
votes
0 answers

How to define multiple npm registries for Dependabot workflow configuration?

I'm trying to specify two npm registries for my GitHub Action Dependabot workflow, but when committed, the following error occurs: Dependabot encountered the following error when parsing your .github/dependabot.yml: The property…
Remi Sture
  • 12,000
  • 5
  • 22
  • 35
0
votes
0 answers

Dependabot can't evaluate your Python dependency files snowflake-connector-python / simple-salesforce

In GitHub security I see a vulnerability alert that says: snowflake-connector-python is vulnerable to Regular Expression Denial of Service (ReDoS) When I click the button to create a security update for snowflake-connector-python I see Dependabot…
KristiLuna
  • 1,601
  • 2
  • 18
  • 52
0
votes
2 answers

GitHub "Used By" / Dependents Not Populating

My project pyngrok has hundreds of starts, is listed as a PyPI "Critical Project", and thus is used by many other projects, including significant ones. But the "Used By" section has never populated or show up on my project's GitHub page. Similarly,…
alexdlaird
  • 1,174
  • 12
  • 34
0
votes
0 answers

How to automate cypress version update with dependabot.yaml?

I'm trying to automate my cypress version upgrade with Github dependabot but despite all of the given efforts, still getting following errors : The property '#/updates/0/' contains additional properties ["package-version", "depfile", "commands"]…
user3095223
  • 45
  • 3
0
votes
1 answer

Dependabot - Ignoring NuGet package versions

I'm trying to get dependabot up and and running with C# projects that have NuGet dependencies, and configure it to ignore certain versions of packages, such as .NET 7 packages. Things I have tried: Various variations of the .github/dependabot.yml…
dalemac
  • 355
  • 1
  • 4
  • 15
0
votes
0 answers

How to resolve dependabot security alerts when the direct dependency isn't listed (transitive errors)

I'm getting several dependabot security notices but they don't stem from my direct dependencies. I've tried examining the insights/dependency graph but this isn't helping much. I've also tried to run yarn audit and getting no errors tried running…
Avba
  • 14,822
  • 20
  • 92
  • 192
0
votes
2 answers

How to make dependabot to keep same version for multiple Java libraries?

In my build.gradle.kts I have multiple libraries that are released simultaneously with the same version and must be kept that way. How do I make Github's Dependabot to update version of all of them at once, if it has detected that version change on…
ivan.ukr
  • 2,853
  • 1
  • 23
  • 41
1 2 3
9 10