What do production and development dependency groups mean in dependabot?

Asked 9/12, 2021 at 12:54 Answered 28/4, 2023 at 22:13

The dependabot docs say that you can indicate which dependency type to check per package manager. However, it is not clear how it tells between development and production packages. The other options are pretty straightforward (all, direct, and indirect).

If you choose dependency-type: production under npm, I am assuming dependabot will ignore any packages inside of devDependencies. Unfortunately, I'm not sure since the docs don't mention the specific criteria the tool uses.

With pip, it is even less clear. The reason why is because there are no PEPs that outline naming conventions for the requirements file. Since you can basically have multiple requirements file without clear rules on their names, how will dependabot know which one to check? For example, I have seen dev-requirements.txt and requirements_dev.txt as development packages files. I know it is a best practice to choose one or the other (or perhaps another variation) and stick with it, but I am wondering which one dependabot will examine if I do dependency-type: development under pip.

Radish answered 9/12, 2021 at 12:54 Comment(0)

Disclaimer: I briefly skimmed the dependabot-core code (which has a lot of RegEx) to answer this, and I haven't tested any of this myself, so apologies for any inaccuracies.

From what I could gather, the dependency-type: "development" should only update the following dependency groups:

"dev-dependency" from Poetry
"dev_packages" from Pipfile
"tests_require" (and maybe "extras_require") from Setuptools
- This only works with deps explicitly declared in the setup file, not read in from a .txt like in this answer

Dependencies in any .txt file seem to be treated as "production".

Belisle answered 28/4, 2023 at 22:13 Comment(0)

-2

If you choose dependency-type: production under npm, I am assuming dependabot will ignore any packages inside of devDependencies. Unfortunately, I'm not sure since the docs don't mention the specific criteria the tool uses.

I think it's clear but I also referred to the source whose repo bears this description, "The core logic behind Dependabot's update PR creation."

The default dependabot policy works like this for npm:

updates:
  - package-ecosystem: "npm"
    ...
    allow:
      - dependency-type: "all"

And that gets you dependencies, devDependencies, peerDependencies, bundledDependencies, and optionalDependencies, although there are comments in the code suggesting peer dependencies are not being handled right now.

If you want dependabot to only check production dependencies, you would configure it like this:

updates:
  - package-ecosystem: "npm"
    ...
    allow:
      - dependency-type: "production"

Note that allow is an array, so to check both production and development dependencies, you'd configure it like this:

updates:
  - package-ecosystem: "npm"
    ...
    allow:
      - dependency-type: "production"
      - dependency-type: "development"

Roue answered 3/6, 2022 at 7:1 Comment(0)

Recommended topics

Hot tags