Login/Register
How to get dependabot to trigger for security updates only
Asked Answered
githubdependabot
B

3

21

I'm using GitHub dependabot.yml, version 2.

version: 2
updates:
  # Nuget Packages
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "monthly"

I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1

version: 1
update_configs:
 - package_manager: "dotnet:nuget"
   directory: "/"
   update_schedule: "monthly"
   allowed_updates:
     - match:
       update_type: "security"

Let me know if you had the same issue and how you resolved it.

Thanks

Blameful answered 24/9, 2020 at 13:28 Comment(0)
A
17

According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:

open-pull-requests-limit: 0

This means it will only create security updates.

Anthropolatry answered 5/7, 2021 at 10:17 Comment(5)
This answer is incorrect. If you setup the pull requests limit to 0 it prevents dependabot from raising any PRs with following error: ``` Dependabot cannot open any more pull requests The open pull request limit has been exceeded. The current limit is: 0. Dependabot will open new pull requests once you merge or close the already open pull requests. You can also update this limit in the config file. ```Excavator
@MarianBazalik You are right that the error appears, however in my experience it still opens PRs for security updates.Anthropolatry
I have explicitly tested for this, and I am not getting any PRs raised :(. I do have a repo with single security recognized by dependabot. The issue can be resolved by a simple bump of the version (respecting the semver) however the dependabot does nothing :(Excavator
The documentation seems to agree with @leeb: "This option has no impact on security updates, which have a separate, internal limit of ten open pull requests." (from docs.github.com/en/code-security/supply-chain-security/…)Raspberry
@Anthropolatry so I tested it again, and yes you are correct, however, the PR is created no matter what the dependabot configuration is. It some from dependabot security updates, which you need to enable, and if that mechanism discovers a security issue it will attempt to resolve it automatically by raising a semver bump PRExcavator
S
6

Yeah, I was having the same problem, then I found out something like this github community thread.

I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:

You’re using unsupported features This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.

It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.

Let me know if that helps.

Squish answered 30/9, 2020 at 20:57 Comment(3)
I also saw that thread. Yes, It seems like it is not possible to configure dependabot to track only security patches. Thanks!Blameful
it is totally possible, but you just dont need dependabot config anymore.Squish
@Squish how to track security only without dependabot?Fatimafatimah
H
-2

Is this possible with self-hosted dependabot-core (more specifically a custom dependabot-script running as a container in a Argo Workflow cron workflow)? It seems like there is a setting called security_updates_only but I'm not clear if that's meant for that purpose.

Hat answered 5/5, 2023 at 18:54 Comment(1)
"It seems like there is a setting called security_updates_only" where did you read that?Prate

© 2022 - 2024 — McMap. All rights reserved.