Try configuring Dependabot for security updates#9877
Merged
Conversation
changelog: Internal, Dependencies, Configure Dependabot to create automatic pull requests for security advisories
mitchellhenke
approved these changes
Jan 8, 2024
Contributor
Author
|
We should know shortly after this is merged if it's successful, I'll try to trigger a manual run to see if we can catch the outstanding Puma upgrade. |
This was referenced Jan 8, 2024
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛠 Summary of changes
Revises the Dependabot configuration to restore the behavior of automatic update pull requests for security advisories.
Based on Dependabot logs bailing with "all versions were ignored" messaging, it's suspected that customizations to Dependabot implemented in #9055 and #5462 are taking precedence over the default Dependabot configuration for security advisories, which was not the intent. Our
bundler-auditandyarn audit-based dependency auditing has worked as a fallback option, but it would be nice to configure Dependabot to automatically update dependencies on our behalf when a new version is available.While GitHub does not provide specific example configurations for our setup, this is based partly on documentation that "If you only require security updates and want to exclude version updates, you can set
open-pull-requests-limitto0in order to prevent version updates for a givenpackage-ecosystem"📜 Testing Plan
This may not be possible to test until merged. After merged, it's expected that we'd receive Dependabot pull requests for both security advisories, as well as the package-specific version updates currently configured.