How to get Dependabot to trigger for security updates only?

Hi, I’m attempting to create a dependabot.yml that only create PRs when there are security updates. However, it appears to be firing for any Ruby gem update. Here’s the current state of my configuration file:

.github/dependabot.yml

version: 2

updates:
  - package-ecosystem: bundler
    allow:
      dependency-type: all
    directory: '/'
    open-pull-requests-limit: 10
    schedule:
      interval: daily
    security-updates-only: true
    versioning-strategy: lockfile-only

  - package-ecosystem: npm
    allow:
      dependency-type: all
    directory: '/'
    open-pull-requests-limit: 10
    schedule:
      interval: daily
    security-updates-only: true
    versioning-strategy: lockfile-only

If anyone has any additional and updated details regarding Dependabot like documentation, please feel free to reach out.

-Conrad

HI @conradwt Welcome to the community! We are happy you are here. I wonder if the issue has something to do with https://github.com/dependabot/dependabot-core/issues/1699?

I’m actually having a different issue at this time. Thus, I’m just wondering, what’s the correct code to tell Dependabot to only create PRs for security updates? At this time, it’s creating PRs for every gem update.

Thanks for the follow up @conradwt, have you tried changing the versioning strategy? On your config file package-ecosystem: bundler

to
versioning-strategy: increase_versions_if_necessary

Technically, this option will only update the Gemfile when the update does not fall within the version specified in the Gemfile. If the issue is with updates to the gemfile.lock file, I’m afraid there isn’t a way to disable updating this file as far as I know.

Hi, is this for security updates only or all updates? Is there a setting per/repository to allow one to create PRs for security updates only within Github?

I was wondering the same thing. Eventually I found somewhere in the documentation that security updates is not configured in dependabot.yml, it is for updating all dependencies. If you only want security updates then this is only done in the UI under Settings -> Security & analysis. If I can find the documentation stating this I’ll reply here with the link.

I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:

You’re using unsupported features

This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page.

3 Likes

Yes, this is definitely the case during my research of this topic. It would be nice to have all this configuration in a single place but that isn’t the case today. Thus, I will be removing this configuration file from my repositories at this time. Thanks everyone for their feedback and I appreciate it.