Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How can Dependabot be configured to focus exclusively on security updates? #1490

Closed
SatheeshS-optym opened this issue Nov 25, 2024 · 4 comments · Fixed by #1394
Closed

How can Dependabot be configured to focus exclusively on security updates? #1490

SatheeshS-optym opened this issue Nov 25, 2024 · 4 comments · Fixed by #1394

Comments

@SatheeshS-optym
Copy link

SatheeshS-optym commented Nov 25, 2024

I know currently dependabot v2 supports version update alone and my plan is to use dependabot for security updates. So, I have downgraded the dependabot version to v1 and while running dependabot with option useUpdateScriptvNext: true for .Net. It created PR for transitive package Microsoft.IdentityModel.JsonWebTokens from 7.0.0 to 7.1.2 but in our code, I'm already using version 8.1.2 which means dependabot tries to downgrade the version here. I have already seen the similar bug in #1247 and want to know for security updates whether I should go ahead with option useUpdateScriptvNext: false or not.

Also, please let me know what will be the ETA for security updates in dependabot v2. Because v2 worked fine for us in version update with almost all the github dependabot options.

Nuget PR:-
image

package.lock.json
image

image

dependabot.yml

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: /Engine
    labels:
      - "nuget"
      - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "nuget"
      prefix-development: "nuget"
      include: "scope-and-version"
      separator: "-"
    groups:
      nuget:
        patterns:
          - "*"

  - package-ecosystem: "npm"
    directories:
    - /Backend/**/*
    - /Frontend/
    - /Shared/
    labels:
    - "npm"
    - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "npm"
      prefix-development: "npm"
      include: "scope-and-version"
      separator: "-"
    groups:
      npm:
        patterns:
          - "*"  

  - package-ecosystem: "pip"
    directories:
    - /deployment/db-deploy-script
    - /Utility/PythonScripts/
    labels:
    - "pip"
    - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "pip"
      prefix-development: "pip"
      include: "scope-and-version"
      separator: "-"
    groups:
      pip:
        patterns:
          - "*"  

dependabot-pipeline.yaml

trigger: none

pool:
 vmImage: ubuntu-latest

jobs:
  - job: Dependabot
    displayName: Dependabot Execution
    timeoutInMinutes: 120
    steps:
    - script: |
        sudo cp -r $(Build.SourcesDirectory)/.azuredevops/ /.azuredevops/
      displayName: Move Dependabot file

    - task: dependabot@1
      inputs:
        azureDevOpsAccessToken: '$(System.AccessToken)'
        gitHubAccessToken: '$(GITHUB_ACCESS_TOKEN)'
        useUpdateScriptvNext: true
        extraEnvironmentVariables: "DEPENDABOT_AUTHOR_EMAIL=example@domain.com;DEPENDABOT_AUTHOR_NAME=example;DEPENDABOT_SECURITY_UPDATES_ONLY=true"
      displayName: Run Dependabot 
@SatheeshS-optym SatheeshS-optym changed the title Dependabot V2 security updates How can Dependabot be configured to focus exclusively on security updates? Nov 25, 2024
@rhyskoedijk
Copy link
Contributor

@SatheeshS-optym it's hard to say what the cause is without seeing a copy of the task output logs; they would show why Dependabot decided to downgrade the dependency.

I can say that there are known issues in dependabot-core for the NuGet ecosystem around transitive dependencies, central package manager, package locks, and large grouped updates (i.e. pattern: *). So any one of these could be contributing to your issue.

If you are able to provide the relevant logs of this package update from your task log, I can investigate further.

Regarding support for security-only updates:

  • Using task V1 with useUpdateScriptvNext: false will likely give the least accurate results as it doesn't use the dependabot-core updater to perform updates;
  • Using task V1 with useUpdateScriptvNext: true will likely give the most accurate results currently (albeit, not perfect);
  • Using task V2 does not support security-only updates yet, but is being worked on in Support for security-only updates using Dependabot CLI #1394

There is no firm ETA on security-only update support for V2; I'm working on it and hope to have a first release of this ready before the end of the year.

@SatheeshS-optym
Copy link
Author

@rhyskoedijk Thanks for the detailed comments. It helped me to understand more about the dependabot related to security updates. I'm using central package manager file (Directory.Packages.props) in .NET application and I have attached the complete log file and dependabot.yml file which I used on this specific run. Also, we are waiting to use dependabot v2 for security updates. Hoping it will be rolled out soon.

dependabot.yml.txt
5_Run Dependabot.txt

@rhyskoedijk
Copy link
Contributor

@SatheeshS-optym security-only updates for V2 is now ready for review in #1394; It should hopefully be merged in the next week or two depending on the maintainers availability.

@SatheeshS-optym
Copy link
Author

Thanks for the support @rhyskoedijk. I hope security update on dependabot v2 merged now in #1394; I will give a try and let you know if any issues faced.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants