If a dependabot.yml file with a limited npm allow section exists all Security updates are disabled
#5845
Comments
The existence of this file with this configuration disables all security updates. See: dependabot/dependabot-core#5845
|
👋 I'm a little confused... Dependabot PR's that fix security updates are also version update PR's and subject (with certain exceptions) to the configuration in How is this not working as expected? |
|
It seems impossible to enable security updates while also enabling limited all-version update PRs via config. I've consulted with 4 other engineers on this, each with over 10 years experience in software development, and none of them expected this behavior. My expectation seems like a reasonable default to me. |
|
So how would one set the config to achieve the desired goal here, then? (Enabling the usual security updates but also enabling all-version updates for one particular package.) Is there any way to do so? I should note in addition to what @davidmurdoch has said that a bunch of us looked at the documentation and, from the documentation, did not expect this behavior. If this is the intended behavior, the docs need to be a lot clearer on this point. |
|
So if i understand, what you want is the following:
Is that correct? If so, I'm pretty sure there's a way to configure that, but I do agree in this case it's not clear at first glance how to do it... because I have to go look it up myself! 😄 |
|
Yup, that's the idea. If you look at the documentation for |
|
Bumping this as it affects my organization, which has been using Dependabot for internal updates for years, and recently adopted Github Advanced Security. We've been enjoying thousands of automated internal updates per year from our private NPM registry with Dependabot, but are now finding that the I agree with the posters in this thread who have described this behavior as counter-intuitive. In fact, it strikes me as such a fundamental oversight, I'm having trouble wrapping my head around it. If there is no way to filter out version updates without also filtering security updates, it leaves users either fundamentally insecure, or pummeled with constant version update PRs for every dependency in the project. It essentially removes the distinction between version updates and security updates, which strikes me as a bug. To make matters worse - and further support that this is a bug - Dependabot itself reports 'No ignore conditions found' when queried for the packages that are being blocked from security updates.
@jeffwidman were you ever able to find a viable way to configure this behavior? For myself, my organization, and every engineer I've talked to, this scenario is the core use-case for Dependabot. |
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
6
Language version
16
Manifest location and content before the Dependabot update
No response
dependabot.yml content
Please see the documentation for all configuration options:
https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
directory: "/" # Location of package manifests
schedule:
interval: "daily"
allow:
reviewers:
Updated dependency
No response
What you expected to see, versus what you actually saw
Add a dependabot.yml to a project shouldn't change the behavior of the GitHub Dependency Security Settings, but it does.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Adding a dependabot.yml causes security updates to fail:
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: