Configure Dependabot to only create PRs for minor or patch updates #21626
-
Is it possible to configure Dependabot to only create PRs for updates that satisfy the current manifest? For example if my version constraint in npm or composer is Ultimately I’d like Dependabot to match what a |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
Hi there! 👋 Welcome to the Community! Yes, this is possible! You can add an ignore option to the You could specify |
Beta Was this translation helpful? Give feedback.
-
I don’t think this is good solution. If you have 100 dependencies you have to create 100 ignore options just to prevent major updates. As a developer I would like to have 1 parameter option to prevent PRs for major updates in a repository. |
Beta Was this translation helpful? Give feedback.
-
Are there any plans to allow restricting all pull requests based on semver? The old non-github version of dependabot had this built-in. There are lots of major versions of package updates that will require massive refactoring to fix and having to add an expilict ignore line for each of them is not a viable strategy. |
Beta Was this translation helpful? Give feedback.
-
Per the current docs, to ignore all major updates for all deps, can use the For instance: # Use `ignore` to specify dependencies that should not be updated
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
ignore:
# For all deps
- dependency-name: "*"
# ignore all major updates
update-types: ["version-update:semver-major"] |
Beta Was this translation helpful? Give feedback.
Hi there! 👋 Welcome to the Community!
Yes, this is possible! You can add an ignore option to the
dependabot.yml
configuration file:https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#specifying-dependencies-and-versions-to-ignore
You could specify
versions: ["3.x", "4.x" "5.x"]
to ensure only updates in “2.x” have PRs raised.