Configure Dependabot to only create PRs for minor or patch updates

Is it possible to configure Dependabot to only create PRs for updates that satisfy the current manifest? For example if my version constraint in npm or composer is ^2.4.1 that PRs would be raised for any minor or patch version, but nothing 3.0.0 or greater?

Ultimately I’d like Dependabot to match what a npm update or composer update command would update instead of raising PRs to newer major versions-- more than just security updates, but less than major releases of dependencies.

Hi there! :wave: Welcome to the Community!

Yes, this is possible! You can add an ignore option to the dependabot.yml configuration file:

https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#specifying-dependencies-and-versions-to-ignore

You could specify versions: ["3.x", "4.x" "5.x"] to ensure only updates in “2.x” have PRs raised.

1 Like

I don’t think this is good solution. If you have 100 dependencies you have to create 100 ignore options just to prevent major updates. As a developer I would like to have 1 parameter option to prevent PRs for major updates in a repository.

6 Likes

Are there any plans to allow restricting all pull requests based on semver?

The old non-github version of dependabot had this built-in.

There are lots of major versions of package updates that will require massive refactoring to fix and having to add an expilict ignore line for each of them is not a viable strategy.