How to get dependabot to trigger for security updates only

Question

I'm using GitHub dependabot.yml, version 2.

version: 2
updates:
  # Nuget Packages
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "monthly"

I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1

version: 1
update_configs:
 - package_manager: "dotnet:nuget"
   directory: "/"
   update_schedule: "monthly"
   allowed_updates:
     - match:
       update_type: "security"

Let me know if you had the same issue and how you resolved it.

Thanks

score 14 · Answer 1 · answered Jul 05 '21 at 10:17

14

According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:

open-pull-requests-limit: 0

This means it will only create security updates.

answered Jul 05 '21 at 10:17

leeb

699
7
14

1

This answer is incorrect. If you setup the pull requests limit to 0 it prevents dependabot from raising any PRs with following error: ``` Dependabot cannot open any more pull requests The open pull request limit has been exceeded. The current limit is: 0. Dependabot will open new pull requests once you merge or close the already open pull requests. You can also update this limit in the config file. ``` – Marian Bazalik Aug 02 '21 at 16:20
@MarianBazalik You are right that the error appears, however in my experience it still opens PRs for security updates. – leeb Aug 03 '21 at 15:14
I have explicitly tested for this, and I am not getting any PRs raised :(. I do have a repo with single security recognized by dependabot. The issue can be resolved by a simple bump of the version (respecting the semver) however the dependabot does nothing :( – Marian Bazalik Aug 16 '21 at 11:20
4

The documentation seems to agree with @leeb: "This option has no impact on security updates, which have a separate, internal limit of ten open pull requests." (from https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#open-pull-requests-limit) – CleanUp Oct 19 '21 at 08:44
1

@leeb so I tested it again, and yes you are correct, however, the PR is created no matter what the dependabot configuration is. It some from dependabot security updates, which you need to enable, and if that mechanism discovers a security issue it will attempt to resolve it automatically by raising a semver bump PR – Marian Bazalik Nov 11 '21 at 21:52

score 4 · Answer 2 · answered Sep 30 '20 at 20:57

Yeah, I was having the same problem, then I found out something like this github community thread.

I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:

You’re using unsupported features This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.

It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.

Let me know if that helps.

I also saw that thread. Yes, It seems like it is not possible to configure dependabot to track only security patches. Thanks! — Kseniia Pelykh, Oct 02 '20 at 12:20
it is totally possible, but you just dont need dependabot config anymore. — chenrui, Oct 03 '20 at 14:12

score 0 · Answer 3 · answered Apr 18 '23 at 21:08

0

Whatever you do, do not believe the CGPT code. It suggests that allow: security is a legal answer in version 2.

answered Apr 18 '23 at 21:08

Lucas Gonze

575
1
5
13

Yes, ChatGPT can't do anything properly, but gives the illusion that it does. ChatGPT is "Mansplaining as a service". Don't code with it, don't trust it, ever. – Eric Aya Apr 19 '23 at 05:41
There are many "answers" that don't work / don't make sense. Sharing what doesn't work is maybe worth a comment, but not an answer. – Martin Thoma Jun 12 '23 at 12:44

score -2 · Answer 4 · answered May 05 '23 at 18:54

-2

Is this possible with self-hosted dependabot-core (more specifically a custom dependabot-script running as a container in a Argo Workflow cron workflow)? It seems like there is a setting called security_updates_only but I'm not clear if that's meant for that purpose.

answered May 05 '23 at 18:54

Charles Morin

1,449
4
32
50

1

"It seems like there is a setting called security_updates_only" where did you read that? – Martin Thoma Jun 12 '23 at 12:45

How to get dependabot to trigger for security updates only

4 Answers4