Dependabot: How to ignore updates whose versions end with a fixed prefix?

Hi there,

I’m using Gradle and one of the dependencies is Kotlin coroutines, which kind of uses semantic release but not really: They provide different flavours of each release, so version “1.2.3” will be available as 1.2.3 and 1.2.3-native-mt. How can I ignore all the updates ending with -native-mt?

I already tried the following but it was refused as invalid by Dependabot:

- package-ecosystem: gradle
  directory: "/"
  schedule:
    interval: weekly
    time: "08:00"
    timezone: Etc/UCT
  open-pull-requests-limit: 99
  ignore:
    - dependency-name: "kotlinCoroutinesVersion"
      versions:
        - "*-native-mt"

Here’s the error I got:

The property '#/updates/0/ignore/0/versions' includes invalid version requirements for a gradle ignore condition

Cheers.

2 Likes

We are also having the same problem in our repositories because dependabot can’t use wildcard in the ignore.versions configuration.

Specifically, I often have beta and rc in the version, and I want to be able to ignore them when I get a PR from dependabot.

For example, golang image versions

 % image=golang; curl -s https://registry.hub.docker.com/v1/repositories/${image}/tags | grep name | jq -r '.[].name' | egrep '1.17(-)?(beta|rc)'
1.17-rc
1.17-rc-alpine
1.17-rc-alpine3.12
1.17-rc-alpine3.13
1.17-rc-alpine3.14
1.17-rc-buster
1.17-rc-nanoserver
1.17-rc-nanoserver-1809
1.17-rc-stretch
1.17-rc-windowsservercore
1.17-rc-windowsservercore-1809
1.17-rc-windowsservercore-ltsc2016
1.17beta1
1.17beta1-alpine
1.17beta1-alpine3.12
1.17beta1-alpine3.13
1.17beta1-alpine3.14
1.17beta1-buster
1.17beta1-nanoserver
1.17beta1-nanoserver-1809
1.17beta1-stretch
1.17beta1-windowsservercore
1.17beta1-windowsservercore-1809
1.17beta1-windowsservercore-ltsc2016

1 Like

I have the same problem (also with golang images from Docker Hub).

There are some issues over at GitHub - dependabot/dependabot-core: 🤖 The core logic behind Dependabot's update PR creation, and the public issue tracker for all things Dependabot :

1 Like