Questions tagged [dependabot]
Dependabot creates pull requests to keep your dependencies secure and up-to-date.
dependabot
181
questions
32
votes
4
answers
11k
views
Disabling dependabot alerts for a repository on GitHub
GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disable ...
- 1,249
29
votes
1
answer
11k
views
GitHub Actions - Ignore or exclude Dependabot Pull Requests
I have a repository with Dependabot in it, that opens PR on version updates, etc which I would like to keep.
In the same repository, I have a GitHub Action for Pull Requests for my team to use.
My ...
- 422
29
votes
1
answer
8k
views
Can I exclude directories from GitHub Dependabot?
I have a directory /experiments in my repo which contains - surprise! - experiments. Those usually come with their own package.json which includes dependencies that were up to date at the time I made ...
- 1,604
27
votes
1
answer
22k
views
Is it possible to select a specific branch against which Dependabot should open PR's?
Like the title says, on GitHub is it possible to manually select a branch against which Dependabot should open its Pull Requests?
From what I can see, it opens PR against whichever branch is set to be ...
- 1,432
24
votes
3
answers
8k
views
dependabot only updates lock file
We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was.
On the ...
- 1,263
23
votes
3
answers
15k
views
How do I automerge dependabot updates (config version 2)?
Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.
My .dependabot/config.yaml did look like:
version: 1
...
- 1,574
20
votes
3
answers
7k
views
How to get dependabot to trigger for security updates only
I'm using GitHub dependabot.yml, version 2.
version: 2
updates:
# Nuget Packages
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "monthly&...
- 365
16
votes
2
answers
12k
views
How to GET the list of dependabot alerts via GitHub API?
How can I GET the list of dependabot alerts available at https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen via the GitHub API?
I searched through the documentation but ...
- 358
14
votes
1
answer
6k
views
How do I test dependabot before merging config
Is there a way to test that dependabot is working as expected before merging it to my repo?
I work on a pretty large team and I want to make sure I can test the functionality before merging. I have a ...
- 1,010
12
votes
3
answers
3k
views
Dependabot "No security update is needed as ansi-regex is no longer vulnerable"
Dependabot first reported and then retracted a security problem in a package. The basis of the retraction isn't given, just that the package "is no longer vulnerable." That makes no sense. ...
- 566
11
votes
2
answers
14k
views
How to trigger dependabot scan on developer pull requests
I'm not sure if my use case is one dependabot is suited for, so hoping someone can tell me if it is or is not, and if it is, point me to some documentation on how to do what I'm describing:
I want to ...
- 2,640
10
votes
2
answers
4k
views
Force dependabot to scan my github repo without open PRs
I have dependabot enabled in my GitHub repo.
However there is currently no open PR by it.
I in my repo the following message
Dependabot updates are paused
We noticed you haven't used Dependabot in a ...
- 18.5k
10
votes
2
answers
9k
views
How can I change my dependabot config to exclude major versions
This is my dependabot config, is there any way to exclude major version updates and just have minor, patch and security updates? If so what would I need to change?
version: 1
update_configs:
- ...
- 1,757
10
votes
2
answers
5k
views
How to disable or ignore Dependabot pull requests?
We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure ...
- 1,818
9
votes
2
answers
9k
views
Is dependabot.yml mandatory for GitHub Dependabot?
Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?
https://docs.github.com/en/github/administering-a-...
- 131
9
votes
3
answers
13k
views
How to use Dependabot with private packages
I need some help with Dependabot. I found out recently about this amazing package, but some of my repositories require dependencies that are private packages, created by me and used in my personal ...
- 1,131
9
votes
1
answer
9k
views
CVE-2021-44906 Prototype Pollution in minimist
Github dependabot found potential security vulnerabilities in My dependencies.
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
I don't ...
- 93
8
votes
1
answer
692
views
configure NPM version for dependabot
I'm using dependabot to update my NPM dependencies with the following dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: monthly
rebase-...
- 2,553
7
votes
1
answer
3k
views
dependabot: Error : .github#L1 No event triggers defined in `on`
I'm trying to setup dependabot on a Github repo.
Here's my config file:
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "...
- 14.2k
7
votes
1
answer
2k
views
Is there a way to generate a badge for the Dependabot into GitHub?
I've migrated a private GitHub repository to use the new Dependabot (into GitHub) and now the Dependabot badge shows as it is inactive, on my README.md, but it's working fine.
I'm looking for a way ...
- 1,747
6
votes
3
answers
2k
views
Dependabot with AWS CodeArtifact
I'm trying to use Dependabot with AWS CodeArtifact and I keep getting authentication issues.
Dependabot can't authenticate to a private package registry
The following private package registry was ...
- 908
6
votes
1
answer
783
views
Exclude codeowners from dependabot PR
We use a codeowners file to automatically assign reviews to Pull Requests. We also have Dependabot creating PRs for major versions.
We do not want to automatically add reviews to the PRs created by ...
- 379
6
votes
1
answer
1k
views
How to pass Dependabot OPTIONS properties to dependabot-script in Azure DevOps Pipeline
After following guides like this one I am able to successfully run dependabot against my Azure DevOps repo and it auto creates PRs. The issue is I have some customizations I need to make such as ...
- 133
6
votes
1
answer
979
views
Github API to manage access to Security Alerts?
After enabling the Dependabot Security Alerts you need to explicitly grant access to alerts in the Security & Analysis settings (https://github.com/[org]/[repository]/settings/security_analysis). ...
- 98
6
votes
0
answers
1k
views
To what end are we maintaining package-lock.json files that are free of security vulnerabilities? Why not just delete them or let them go stale?
package-lock.json stores a set of exact versions for all the dependencies and transitive dependencies that got installed when someone last ran npm update. You are encouraged to commit package-lock....
- 2,795
6
votes
2
answers
2k
views
What do production and development dependency groups mean in dependabot?
The dependabot docs say that you can indicate which dependency type to check per package manager. However, it is not clear how it tells between development and production packages. The other options ...
- 159
5
votes
1
answer
3k
views
Automatic merging of Dependabot generated Pull Request with codeowners file and branch protection rule?
I have created Workflow for GitHub Actions as described here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-...
- 26k
5
votes
3
answers
2k
views
Updating dependency graph always fails
I've set my maven.yml to update my projects dependency graph when it builds, but it always faisl with this error:
Error: Response body:
{
"message": "Resource not accessible by ...
- 95
5
votes
0
answers
381
views
Ignore Dependabot notifications for 3rd party Repositories
Is it possible to watch a 3rd party repository on Github, but ignore any notification generated by dependabot?
For example, I want to follow development in a repository like:
https://github.com/open-...
- 12.1k
5
votes
1
answer
4k
views
Github dependabot : How to run analysis on the another branch
How do I run the dependabot against the feature branches?
What I'm trying to do, is to find the vulnerabilities of the third-party packages, not yet in the default branch, before deploying them.
Here ...
- 5,738
5
votes
0
answers
193
views
Google Cloud basic authentication: The caller does not have permission
I am trying to authorize Dependabot for a private npm package repository stored in the Google Cloud Artifact registry with basic authentication. I created a Service Account and provided repository ...
- 51
5
votes
0
answers
1k
views
Dependabot issue - cannot update glob-parent to a non-vulnerable version
I've just started to use Dependabot and encountered an issue with one of its alerts. I was looking for an answer how to handle such vulnerabilities, but didn't fine any proper resource. What I can see ...
4
votes
1
answer
3k
views
How to use dependabot secrets in GitHub CI workflow
I have a NPM_AUTH_TOKEN secret which was originally stored in my actions secrets which doesn't seem to be accessible by dependabot when it automatically opens a PR.
I have now copied this secret into ...
- 8,932
4
votes
1
answer
2k
views
Dependabot - Ignoring NuGet package versions
I'm trying to get dependabot up and and running with C# projects that have NuGet dependencies, and configure it to ignore certain versions of packages, such as .NET 7 packages.
Things I have tried:
...
- 424
4
votes
2
answers
2k
views
CI Tests fail on Dependabot pull requests
I have a GitHub action that runs tests in the CI on every pull request that is opened on my repo.
As part of the tests workflow, the job checkout several other repositories in the GitHub organization (...
- 81
4
votes
2
answers
1k
views
Does dependabot test to make sure it does not break the build?
I just got a dependabot saying:
Bump three from 0.120.1 to 0.125.0
But does it test that this will not break my repo?
It would have to run both "build" and "test" in my package....
- 3,882
4
votes
2
answers
2k
views
Error upgrading dependencies in yarn.lock file with yarn up in Yarn 2.0
I'm trying to use Yarn 2.0 to upgrade to the latest version of the dependency in my yarn.lock to resolve a dependabot issue. The issue exists with the ini dependency and I tried running command yarn ...
- 217
4
votes
2
answers
2k
views
Distinguishing between Dependabot security and version update pull requests?
We've had Dependabot enabled for security vulnerabilities on our repos for a while, but just set it up for versioning updates as well. My understanding is that the configuration options for the latter ...
- 818
4
votes
0
answers
2k
views
How to configure the dependabot.yml for updating whenever a new python patch version for alpine is available on docker hub?
I'm using Docker for codebase and dependabot on GitHub.
What I want
Whenever there's a new patch version for python or new minor version of alpine for the python-alpine image on docker hub see https://...
- 10.6k
3
votes
1
answer
2k
views
Dependabot for submodules with different intervals
We would like to have dependabot update our submodules in different intervals. For example, google test has new commits almost every day but we probably won't need them immediately, so updating once ...
- 182
3
votes
3
answers
1k
views
Azure devops NPM Authentication in dependabot.yml
I currently have the following pipeline working:
schedules:
- cron: "0 20 * * FRI"
displayName: 'Weekly Run'
always: true
branches:
include:
- 'develop'
trigger: ...
- 118
3
votes
0
answers
305
views
Dependabot pip package-ecosystem with two separate schedules
I have Dependabot running daily for package-ecosystem: "pip".
The problem I face is that the AWS boto library has a lot of updates and this is inflating my GitHub costs substantially.
I ...
- 93
3
votes
0
answers
631
views
Dependabot not updating the gradle dependencies
I have an Android module called "dependencies" in my app. That's how the Gradle file looks like.
dependencies {
implementation 'androidx.core:core-ktx:1.7.0'
implementation '...
- 488
3
votes
1
answer
2k
views
Environment variables in dependabot.yml?
I'm trying to set up dependabot-standalone to run in a GitLab-CI pipeline in a private instance.
It's an npm package and I'm using a private npm registry to fetch my dependencies from. According to ...
- 6,850
3
votes
1
answer
1k
views
How to automatically manage and update CDK version with Projen?
Context:
Projen is an awesome tool to generate and manage (JSII-built) AWS CDK projects.
Background:
Previously I have managed CDK dependencies with RenovateBot's group:aws-cdkMonorepo preset. This ...
- 31
3
votes
0
answers
165
views
Dependabot say Kramdown needs security update - but I dont have a gemfile in which the vunerability is supposed to be
I got a dependabot alert (CVE-2020-14001 Vulnerable versions: < 2.3.0 Patched version: 2.3.0) from github for one of my github pages (https://github.com/akademie-oeffentliches-gesundheitswesen/...
- 31
3
votes
0
answers
1k
views
How can Dependabot automatically merge its pull requests based on Azure pipelines build status? [closed]
If Dependabot is enabled to automatically bump dependencies and create pull requests to 'master', how these pull requests can be automated so they are automatically approved and merged if Dependabot's ...
- 837
2
votes
3
answers
2k
views
How to NOT run a GitHub Action when a specific label is set?
I have a GitHub Action workflow that runs to deploy a preview of a react-native expo app always when a Pull Request is opened. However, I do not want it to run when the dependabot opens a Pull Request....
- 337
2
votes
1
answer
4k
views
Update dependencies in NPM to resolve vulnerability
My repo in github show the following alert :
Dependabot cannot update ssri to a non-vulnerable version. The latest possible version that can be installed is 6.0.1 because of the following conflicting ...
- 294
2
votes
1
answer
1k
views
Does `@dependabot recreate` also rebase onto latest mainline?
I'm having trouble finding a definitive answer to this, so asking here:
On GitHub projects that use Dependabot, will @dependabot recreate also rebase the branch onto latest mainline just like @...
- 11.7k