I have a directory /experiments in my repo which contains - surprise! - experiments. Those usually come with their own package.json which includes dependencies that were up to date at the time I made the experiment but might be outdated by now. I have no intent to keep them up to date as the experiments are just proofs of concepts - concepts I might want to use later in the project but I would then implement anew in the main project.
Unfortunately Dependapot sends me a lot of PRs that are about those dependencies in /experiments. Many of them require manual efforts on my end. So I would like to tell Dependabot to not send any notifications or create PRs for everything that is in the /experiments directory (but keep creating PRs for dependencies in the main project).
I didn't really find much docs about how to configure Dependabot on GitHub, but I came up with this:
/.github/dependabot.yml:
version: 2
updates:
# Ignore experiments:
- package-ecosystem: "npm"
directory: "/experiments"
schedule:
interval: "daily"
ignore:
- dependency-name: "*"
It doesn't seem to work though. Today I received another PR from Dependabot that bumped one of the dependencies in /experiments. It was automatically merged, so no effort on my end, but still a bit annoying.
How can I do this right?