DEV Community

Mike E
Mike E

Posted on • Updated on

Tricking Dependabot into allowing multiple update configs for one package ecosystem

Dependabot can be limiting in the way you can configure it in the dependabot.yml file. There was a certain manner in which I wanted to configure Dependabot to automatically create updates which would seem unachievable based on documentation, but I was able to find a way to "trick" Dependabot into allowing it.

The Goal

The way I wanted to configure Dependabot was to have PRs created for the following scenarios:

  1. All security updates.
  2. Major and minor version updates for any packages in my private registry.

Here is a configuration that allows for PRs for security updates to (the open-pull-requests-limit: 0 line does that), but does nothing for goal #2 above:

version: 2
updates:
  - package-ecosystem: 'npm'
    directory: '.'
    schedule:
      interval: 'daily'
    open-pull-requests-limit: 0
Enter fullscreen mode Exit fullscreen mode

Here is a configuration that allows for major and minor version updates for my private registry, but does nothing for goal #1 above:

version: 2
registries:
  mycompany:
    type: npm-registry
    url: 'https://npm.pkg.github.com'
updates:
  - package-ecosystem: 'npm'
    directory: '/'
    registries:
      - 'mycompany'
    schedule:
      interval: 'daily'
    allow:
      - dependency-name: '@mycompany/*'
    ignore:
      - dependency-name: '@mycompany/*'
        update-types: ['version-update:semver-patch']
Enter fullscreen mode Exit fullscreen mode

The Problem

The configuration above will allow PRs for version updates for @mycompany dependencies to be created for major and minor version bumps. Great! The problem, however, is that this filters out all security updates. I could get the security updates by removing the allow and ignore options, but then I'd get all version updates which I don't want.

This problem occurs because Dependabot only allows one update configuration per package-ecosystem (documentation). Actually, to be accurate, it only allows for one update configuration per package-ecosystem-directory combination. This allows for different configurations for different packages in a mono repo.

The Solution

When trying to find a solution for this limitation so I could get the Dependabot behavior I was seeking, I focused on how I could have multiple update configurations for the npm package-ecosystem while continuing to target the root directory in both configs (since I don't have a mono repo). Ultimately, I was able to leverage different strings that end up resolving to the root directory when the workflow executes.

The default root path that you see in Dependabot documentation is / which, in Linux, represents the "root" of the filesystem. Linux also supports . which represents the current directory in the file system. I tested and confirmed both end up targeting the root of my codebase. This allows for two update configurations for the npm package-ecosystem being allowed, successfully targeting the root directory.

Here was my final dependabot.yml config:

version: 2
registries:
  mycompany:
    type: npm-registry
    url: 'https://npm.pkg.github.com'
updates:
  # npm packages for @mycompany major and minor updates only
  - package-ecosystem: 'npm'
    directory: '/'
    registries:
      - 'mycompany'
    schedule:
      interval: 'daily'
    allow:
      - dependency-name: '@mycompany/*'
    ignore:
      - dependency-name: '@mycompany/*'
        update-types: ['version-update:semver-patch']
  # npm packages for security updates only
  - package-ecosystem: 'npm'
    directory: '.'
    schedule:
      interval: 'daily'
    open-pull-requests-limit: 0
Enter fullscreen mode Exit fullscreen mode

Top comments (0)