-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can Dependabot be configured to focus exclusively on security updates? #1490
Comments
@SatheeshS-optym it's hard to say what the cause is without seeing a copy of the task output logs; they would show why Dependabot decided to downgrade the dependency. I can say that there are known issues in dependabot-core for the NuGet ecosystem around transitive dependencies, central package manager, package locks, and large grouped updates (i.e. If you are able to provide the relevant logs of this package update from your task log, I can investigate further. Regarding support for security-only updates:
There is no firm ETA on security-only update support for V2; I'm working on it and hope to have a first release of this ready before the end of the year. |
@rhyskoedijk Thanks for the detailed comments. It helped me to understand more about the dependabot related to security updates. I'm using central package manager file (Directory.Packages.props) in .NET application and I have attached the complete log file and dependabot.yml file which I used on this specific run. Also, we are waiting to use dependabot v2 for security updates. Hoping it will be rolled out soon. |
@SatheeshS-optym security-only updates for V2 is now ready for review in #1394; It should hopefully be merged in the next week or two depending on the maintainers availability. |
Thanks for the support @rhyskoedijk. I hope security update on dependabot v2 merged now in #1394; I will give a try and let you know if any issues faced. |
I know currently dependabot v2 supports version update alone and my plan is to use dependabot for security updates. So, I have downgraded the dependabot version to v1 and while running dependabot with option useUpdateScriptvNext: true for .Net. It created PR for transitive package Microsoft.IdentityModel.JsonWebTokens from 7.0.0 to 7.1.2 but in our code, I'm already using version 8.1.2 which means dependabot tries to downgrade the version here. I have already seen the similar bug in #1247 and want to know for security updates whether I should go ahead with option useUpdateScriptvNext: false or not.
Also, please let me know what will be the ETA for security updates in dependabot v2. Because v2 worked fine for us in version update with almost all the github dependabot options.
Nuget PR:-
package.lock.json
dependabot.yml
dependabot-pipeline.yaml
The text was updated successfully, but these errors were encountered: