Configure Dependabot to only create PRs for minor or patch updates

Is it possible to configure Dependabot to only create PRs for updates that satisfy the current manifest? For example if my version constraint in npm or composer is ^2.4.1 that PRs would be raised for any minor or patch version, but nothing 3.0.0 or greater?

Ultimately I’d like Dependabot to match what a npm update or composer update command would update instead of raising PRs to newer major versions-- more than just security updates, but less than major releases of dependencies.

Hi there! :wave: Welcome to the Community!

Yes, this is possible! You can add an ignore option to the dependabot.yml configuration file:

https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#specifying-dependencies-and-versions-to-ignore

You could specify versions: ["3.x", "4.x" "5.x"] to ensure only updates in “2.x” have PRs raised.

1 Like