-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support configuring allowed updates for security updates using config file #2521
Comments
Hi, that config file looks to be invalid: https://github.com/kyeotic/raviger/runs/1097204025 You cannot specify Lmk if that works 👍 |
I added the ignore field after the |
It's happening again with this config version: 2
updates:
# Maintain dependencies for npm
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
allow:
- dependency-name: "*"
dependency-type: "production"
|
@jurre I realized you probably wouldn't get notified from an issue re-opening... so :bump: |
@feelepxyz do you have an idea what's going on here? |
@kyeotic pretty sure that's because it's a security update fixing a vulnerability in lodash: GHSA-p6mc-m468-83gw You currently can't configure
You'd have to ignore the dependencies specifically as we don't support ignoring |
@feelepxyz That's surprising. Is this explained in the docs anywhere? I think wanting to ignore dependabot warnings for devDependencies is a pretty common request. I don't see why this separate and additional category of "security updates" is even in the equation. If I say I don't want devDependency warnings I mean I don't want any warnings for any devDependencies. Frankly, this behavior is wrong. |
I guess I'm just going to have to disable dependabot entirely. |
Good feedback and legitimate use-case! Will add this to our backlog to fix, we haven't done much to make both products configurable using the same config file but are looking at changing this.
You can also only disable security updates from the GitHub UI: |
@kyeotic for findability, can you pls rename this issue to something like Hope this lands someday. |
Also, @feelepxyz @jurre reading dependabot-security docs, it's not clear to me how yml-configurable this "security" product is. Before this issue I hadn't understood it was configurable, at all. Does dependabot-security read dependabot.yml? Will both dependabot and dependabot-security run? Since having a dependabot.yml is how you enable dependabot, how do I for example configure |
Yeah it's currently very patchy but we have a plan to fix it! You currently can't configure security updates using the config file without also enabling version updates, if you do want to enable version updates the following config file options will also apply to security updates: #2521 (comment) |
@feelepxyz Sounds good, I will disable dependabot-security until thats fixed. As a user, I have to say that this distinction is surprising and frustrating. I understand that they are internally considered two independent products, possibly developed by different teams, but they serve similar functions, have similar names, with similar operation and similar configuration so as a user I don't see them as independent, but as parts of a whole. I expect the difference in security and regular (?) to be a kind of alert, not a completely separate application with separate configuration. I would like to see them use a single configuration, possibly with a |
@feelepxyz @jurre any news on making For my desired use case (1. security vulns only, 2. npm prod deps only, 3. automatic assignment to a list of reviewers) I'm still torn between two unsatisfying options:
Has there been progress around this? Can we hope to see progress soon? Thanks. (Issue subscribers: sorry for the lame "bump" comment, I never write those in open source projects because I hate causing noise to issue subscribers, but I'm paying for dependabot/GitHub and it's been six months since @feelepxyz wrote "we have a plan to fix it", so here's me doing an exception to this rule 🤷) |
@ronjouch yeah it's kinda possible to configure security updates through version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 0 # in case you don't want to enable version updates
allow:
- dependency-type: "production"
reviewers:
- username Security update PR should inherit this config as the config object is shared between version and security updates as long as the ecosystem, directory matches on the default branch. We're planning to make this a lot nicer. |
@feelepxyz oooooh neat, trying this now. Thanks!
Cool. I'm staying subscribed to this issue, will try the nicer thing if/when it ships and undo the |
@feelepxyz one more thing about this detail: does this mean that I should not have a second Said differently, will a second |
Nope, you can have any number and they should match on ecosystem + directory so you can have version updates enabled for some and security updates for all (not yet possible to disable security updates on some projects). |
…vDependencies a lot of the vulnerabilities are from react-scripts package which is just a build tool and should not affect the product facebook/create-react-app#11174. dependabot config dependabot/dependabot-core#2521
Showing obscure vulnerabilities that only exist in the dev setup creates more noise and means that they just get ignored (because they are probably low priority). Silencing them means when we get a vulnerable dependency alert we know to pay attention to it. Comes from dependabot/dependabot-core#2521 and hpcc-systems/Tombolo@501bbef.
Showing obscure vulnerabilities that only exist in the dev setup creates more noise and means that they just get ignored (because they are probably low priority). Silencing them means when we get a vulnerable dependency alert we know to pay attention to it. Comes from dependabot/dependabot-core#2521 and hpcc-systems/Tombolo@501bbef.
I have no idea why this isn't the default, here are some threads on the issues: dependabot/dependabot-core#4146 dependabot/dependabot-core#2521 facebook/create-react-app#11174
…endency vulnerabilities I have no idea why this isn't the default, here are some threads on the issues: dependabot/dependabot-core#4146 dependabot/dependabot-core#2521 facebook/create-react-app#11174
…endency vulnerabilities (#5304) I have no idea why this isn't the default, here are some threads on the issues: dependabot/dependabot-core#4146 dependabot/dependabot-core#2521 facebook/create-react-app#11174
@jurre @feelepxyz any update on this issue? Being able to ignore devDependencies would help to massively reduce the number of false positives we get. |
Will we be able to get support for a private registry config with the security updates? We have our own artifactory for npm dependencies and the PRs dependabot creates for security updates doesn't match the registry we setup in the dependabot.yml file. |
👋 Hello! Product Manager for Dependabot here. I’m currently doing research into adding/improving configuration for security updates, and am looking for user input. This issue is similar to things I’m thinking about, so if you’re subscribed to this and you’re open to a short conversation with me, please feel free to select a time in my calendar that fits your schedule here: https://calendar.app.google/7RSxjJJo9FdvRHNz7 |
Closing out as stale |
Closing out issues as stale encourages "me too" comments that keep the issue active. Do you want "me too" comments @abdulapopoola ? |
To this, adding that I did answer @carogalvin 's request for feedback above. We did meet, and when we did, Caro acknowledged that #2521 (comment) remained unaddressed. Not throwing @carogalvin under the bus, as no promises were made. Still, this issue is clearly not "stale", it's simply unaddressed but should remain open as acknowledgement of the configurability gap expressed by many users/customers through this issue. (And as kyeotic highlighted above, stale isn't a reason to close an issue, especially with many upvotes, this argument has been made a million times in a million repos) |
Thanks @ronjouch , @kyeotic and @ChiriVulpes for the feedback. I'm sorry about that and I take full responsibility for this. As a first step, I'm re-opening the issue. I closed it since the last seen engagement was a long time ago and the crew is actually making good progress in this area. The goal is to engage the community more. Update: What would be a better way to carry you along going forward? |
While it might not completely address your issues, I've been using the recently introduced auto-triage rules (that can be set both on the Organisation and Repository level. It allows you to automatically dismiss dependabot alerts that meet specified criteria (so you can ignore updates for a particular library, particular issue type, dev dependencies, etc). |
Updates provided here in the issue would be ideal, since it already has people subscribed to it. Is there an organizational blocker to this? |
No blockers to that. It's a bit challenging to keep the multiple issues about the same feature updated though. I'll see how it goes though. We're trying to engage the community more and create clarity about our in-progress work and plans. One option being explored is pinning in-progress items to the top of issues; another potential approach will be to use roadmaps (which require some more work). |
If there is another issue that should be canonical a reference to it while closing this should be sufficient. All subscribers and future visitors will see the new place. |
@abdulapopoola 👍, thanks for the ack and honest comeback 🙂.
@abdulapopoola 👍, eager to see what you come up with. On my side, my problem was that #2521 (comment) simply didn't work (my config was exactly this comment, in several repos where vulns do happen). We've had it in several repos, it failed to produce any PR in a year, without visibility on what's wrong, and thus we abandoned it. Since then, we manage these manually with npm audit and without Dependabot. But maybe this is fixed. I re-enabled my attempt in 2 repos, let’s see if this works now. At any rate, if this is something you’d like, I’d be happy to have a new live chat with you or another Dependabot PM / tech, for "business analysis" clarity or support. EDIT WHOA HEY, this seems to work now 🙂, I immedia-got a PR after enabling it in a repo. Cool, keeping it. Am still interested in the "We're planning to make this a lot nicer" that @feelepxyz was mentioning in #2521 (comment) . Thx for your work! |
@feelepxyz (or anyone familiar): follow-up to #2521 (comment) : is the Said differently, what's the best way since the latest release to enable security updates (configured by dependabot.yml, e.g. with specific assignees) without enabling version updates? |
@ronjouch it's still needed because |
I have configured a
dependabot.yml
that should ignore devDependenciesDespite this I am still getting PR's for devDependency warnings
What do I need to do to stop these from happening?
The text was updated successfully, but these errors were encountered: