Stack Overflow
Stack Overflow

Questions tagged [dependabot]

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

140 questions
24
votes
1 answer

GitHub Actions - Ignore or exclude Dependabot Pull Requests

I have a repository with Dependabot in it, that opens PR on version updates, etc which I would like to keep. In the same repository, I have a GitHub Action for Pull Requests for my team to use. My issue is that the Dependabot keeps triggering the…
Amitb
  • 372
  • 2
  • 10
24
votes
1 answer

Is it possible to select a specific branch against which Dependabot should open PR's?

Like the title says, on GitHub is it possible to manually select a branch against which Dependabot should open its Pull Requests? From what I can see, it opens PR against whichever branch is set to be the main one in the repo settings, but it is…
Sekhemty
  • 1,222
  • 2
  • 13
  • 33
24
votes
1 answer

Can I exclude directories from GitHub Dependabot?

I have a directory /experiments in my repo which contains - surprise! - experiments. Those usually come with their own package.json which includes dependencies that were up to date at the time I made the experiment but might be outdated by now. I…
Fred
  • 1,103
  • 2
  • 14
  • 35
21
votes
4 answers

Disabling dependabot alerts for a repository on GitHub

GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disable the active security monitoring?
Jobajuba
  • 836
  • 7
  • 16
19
votes
3 answers

dependabot only updates lock file

We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was. On the other hand, greenkeeper, was committing changes…
Johnny
  • 1,063
  • 1
  • 11
  • 23
18
votes
4 answers

How to get dependabot to trigger for security updates only

I'm using GitHub dependabot.yml, version 2. version: 2 updates: # Nuget Packages - package-ecosystem: "nuget" directory: "/" schedule: interval: "monthly" I am trying to figure out if there is any possibility to configure it that…
Kseniia Pelykh
  • 345
  • 2
  • 11
15
votes
2 answers

How to GET the list of dependabot alerts via GitHub API?

How can I GET the list of dependabot alerts available at https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen via the GitHub API? I searched through the documentation but couldn't find anything there. Thanks!
大朱雀
  • 337
  • 3
  • 12
15
votes
3 answers

How do I automerge dependabot updates (config version 2)?

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format. My .dependabot/config.yaml did look like: version: 1 update_configs: - package_manager: "python" directory: "/" …
andyandy
  • 1,384
  • 2
  • 15
  • 25
13
votes
3 answers

Dependabot "No security update is needed as ansi-regex is no longer vulnerable"

Dependabot first reported and then retracted a security problem in a package. The basis of the retraction isn't given, just that the package "is no longer vulnerable." That makes no sense. The original CVE is still out there and the affected code is…
Lucas Gonze
  • 575
  • 1
  • 5
  • 13
10
votes
1 answer

How do I test dependabot before merging config

Is there a way to test that dependabot is working as expected before merging it to my repo? I work on a pretty large team and I want to make sure I can test the functionality before merging. I have a branch created with a PR open to our develop…
wheresmyspaceship
  • 870
  • 2
  • 12
  • 19
9
votes
1 answer

CVE-2021-44906 Prototype Pollution in minimist

Github dependabot found potential security vulnerabilities in My dependencies. Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). I don't know how to fix it. What should I do?
cat_yu
  • 93
  • 1
  • 4
8
votes
2 answers

How to trigger dependabot scan on developer pull requests

I'm not sure if my use case is one dependabot is suited for, so hoping someone can tell me if it is or is not, and if it is, point me to some documentation on how to do what I'm describing: I want to create workflow that: runs dependabot scan on…
RJ Cole
  • 2,592
  • 3
  • 18
  • 23
8
votes
3 answers

How to use Dependabot with private packages

I need some help with Dependabot. I found out recently about this amazing package, but some of my repositories require dependencies that are private packages, created by me and used in my personal projects. Dependabot says that for any repositories…
georgekrax
  • 1,065
  • 1
  • 11
  • 22
6
votes
1 answer

How to pass Dependabot OPTIONS properties to dependabot-script in Azure DevOps Pipeline

After following guides like this one I am able to successfully run dependabot against my Azure DevOps repo and it auto creates PRs. The issue is I have some customizations I need to make such as ignoring specific packages as the dependabot…
PressTheAnyKey
  • 133
  • 1
  • 7
6
votes
3 answers

Dependabot with AWS CodeArtifact

I'm trying to use Dependabot with AWS CodeArtifact and I keep getting authentication issues. Dependabot can't authenticate to a private package registry The following private package registry was used and caused the update to fail:…
Cae Vecchi
  • 868
  • 1
  • 10
  • 19
1
2 3
9 10