Dependabot can be limiting in the way you can configure it in the dependabot.yml
file. There was a certain manner in which I wanted to configure Dependabot to automatically create updates which would seem unachievable based on documentation, but I was able to find a way to "trick" Dependabot into allowing it.
The Goal
The way I wanted to configure Dependabot was to have PRs created for the following scenarios:
- All security updates.
- Major and minor version updates for any packages in my private registry.
Here is a configuration that allows for PRs for security updates to (the open-pull-requests-limit: 0
line does that), but does nothing for goal #2 above:
version: 2
updates:
- package-ecosystem: 'npm'
directory: '.'
schedule:
interval: 'daily'
open-pull-requests-limit: 0
Here is a configuration that allows for major and minor version updates for my private registry, but does nothing for goal #1 above:
version: 2
registries:
mycompany:
type: npm-registry
url: 'https://npm.pkg.github.com'
updates:
- package-ecosystem: 'npm'
directory: '/'
registries:
- 'mycompany'
schedule:
interval: 'daily'
allow:
- dependency-name: '@mycompany/*'
ignore:
- dependency-name: '@mycompany/*'
update-types: ['version-update:semver-patch']
The Problem
The configuration above will allow PRs for version updates for @mycompany
dependencies to be created for major and minor version bumps. Great! The problem, however, is that this filters out all security updates. I could get the security updates by removing the allow
and ignore
options, but then I'd get all version updates which I don't want.
This problem occurs because Dependabot only allows one update configuration per package-ecosystem
(documentation). Actually, to be accurate, it only allows for one update configuration per package-ecosystem-directory combination. This allows for different configurations for different packages in a mono repo.
The Solution
When trying to find a solution for this limitation so I could get the Dependabot behavior I was seeking, I focused on how I could have multiple update configurations for the npm
package-ecosystem
while continuing to target the root directory in both configs (since I don't have a mono repo). Ultimately, I was able to leverage different strings that end up resolving to the root directory when the workflow executes.
The default root path that you see in Dependabot documentation is /
which, in Linux, represents the "root" of the filesystem. Linux also supports .
which represents the current directory in the file system. I tested and confirmed both end up targeting the root of my codebase. This allows for two update configurations for the npm
package-ecosystem
being allowed, successfully targeting the root directory.
Here was my final dependabot.yml
config:
version: 2
registries:
mycompany:
type: npm-registry
url: 'https://npm.pkg.github.com'
updates:
# npm packages for @mycompany major and minor updates only
- package-ecosystem: 'npm'
directory: '/'
registries:
- 'mycompany'
schedule:
interval: 'daily'
allow:
- dependency-name: '@mycompany/*'
ignore:
- dependency-name: '@mycompany/*'
update-types: ['version-update:semver-patch']
# npm packages for security updates only
- package-ecosystem: 'npm'
directory: '.'
schedule:
interval: 'daily'
open-pull-requests-limit: 0
Top comments (0)