[Feature request] Opt out minor and patch versions #2219
Comments
|
@bustikiller ah yeah there's currently no way to disable all minor and patch releases. From experience upgrading to major releases without going through minor/patch releases usually makes the transition more painful as the minors sometimes introduce deprecations to make the update easier. Not ideal but you could reduce some noise by ignoring minor versions of the most frequently updated dependencies from the PR with I'll keep this open to see if anyone else is also keen on this. Thanks for the suggestion! |
|
@bustikiller perhaps you might reduce the noise while still getting the benefit of the updates by letting dependabot auto-merge minor updates? That's configurable per project, and separately for dev/production dependencies too. |
|
+1 for this feature request, the ability to ignore patch version updates would be great. |
|
+1 for ignoring patch updates. This would be great to configure in the config.yml |
|
We at Embark would love to be able to have Dependabot skip patch versions as well for our Rust projects. They create to much noise as multiple per day are updated and it is too much overhead to get a PR for each update, even if it is just weekly. So for patch version updates we handle that manually ourselves through frequent |
|
Per what @Floppy mentioned, would auto-merging patch updates take care of the noise problem for folks, or is that not an option in your organization? We've found that auto-merging minor and patch after tests pass forces good testing practices primarily in that it forces you to rely on your tests. Like I mentioned, though, not possible in every org. |
|
@richardson-trevor I understand the benefits of doing that, but this would only work if all dependencies followed semantic versioning. We have experienced patch version upgrades that broke production environments. For this reason, we prefer to test every dependency upgrade before going live. But it is not feasible for us to test every dependency upgrade if we have dozens every month. I would prefer to have fewer dependency upgrades that we can properly test. |
|
That's fair. We do shoot for our tests telling us that one of our deps is about to break production if there was a breaking change, but there are no-doubt cases that do slip through the cracks (or get stubbed out, which has been the source of our issues). In our situation we're able to kick out a new release to prod very quickly if this comes up, but this has only happened a few times in our course of about two years of moving to this mindset. |
Based on the options available https://dependabot.com/docs/config-file, configured - Security only updates for development libraries - Allowed all updates for production libraries - Scheduled dependabot updates to weekly No options available to configure major/minor/patch versions. Can be done once feature is added by dependabot https://github.com/dependabot/feedback/issues/256
Based on the options available https://dependabot.com/docs/config-file, configured - Security only updates for development libraries - Allowed all updates for production libraries - Scheduled dependabot updates to weekly No options available to configure major/minor/patch versions. Can be done once feature is added by dependabot dependabot/feedback/issues/256
|
Is this feature being worked on? |
|
Not at the moment. We're a tiny team and are prioritizing getting Automated Security Fixes working for all GitHub repos and fully integrating Dependabot into GitHub. |
|
Thanks @greysteil for the response Is there an issue marked with |
|
Frustratingly this one would need changes to our backend codebase, which isn't open source, rather than Dependabot Core. |
Reason: Too many PRs for patch releases http://bit.ly/35gqXpS There's no option to opt out of patch releases https://github.com/dependabot/feedback/issues/256
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions. |
|
Pinging on this issue so that it's not closed by stalebot. |
|
Dependabot has an option of opting out of minor version However, it has to be done on each PR and can't be added as a default in the config |
|
This could be a low hanging fruit in my opinion. you already have the machinery for automerge updates. in fact, you can do automerged_updates:
- match:
update_type: "semver:patch"but for some reason you can't do ignored_updates:
- match:
update_type: "semver:patch"because update_type can't be used there. even this doesn't work allowed_updates:
- match:
update_type: "semver:patch"because in this context update_type can only be |
|
In addition to what @itajaja mentioned, Dependabot allows us to ignore major/minor versions in PR by responding with "ignore this major/minor version" That means this feature is already there. They just need to make it configurable by users, which is not getting prioritized. |
|
This would be a great (per-repo) config option! Like @repi said: patch versions create so much noise, and usually add so little value, unless they actually fix something we're using. |
|
commenting to 👍 this issue this is why I'm using both dependabot and greenkeeper. dependabot for security only updates, and greenkeeper for updating dependencies that don't fall into the given semver. which for most of mine means not creating PRs for minor and patch updates, only for major updates. |
|
I just came across update strategy Not sure how dependabot calculates version requirement, I'm trying it in one of my side projects |
|
+1 for this, patch PR's create so much noise and so little value that it should be configurable to opt-out from those updates. IMHO, this should be a valid config: version: 1
update_configs:
- package_manager: "javascript"
directory: "/"
update_schedule: "daily"
ignored_updates:
- match:
dependency_name: "firebase"
update_type: "semver:patch" |
|
+1 for this |
|
+1 Every day, we merge in 10+ patch updates. It'd be really nice to not have so much noise in many places, especially in our commit history. |
|
+1 so this doesn't sink: especially that the internal workings are already there. |
|
+1 |
|
This issue is even more critical now that the "ignore this major/minor version" command is gone in the new integrated Dependabot. I really don't want to clutter my commit history with a bunch of Dependabot management changes any time a package releases a new version I want to ignore. Github doesn't have any proper documentation I could find on the version specification format either, which doesn't seem to exactly match npm or similar tools. |
I have similar feelings about the differences between major and minor/patch releases, but my preference is a bit let complicated than that from a workflow perspective: I'd like to have two different schedules for the same |
|
#1778 is the feature request you're seeking, and it's something we've thought about in the course of this, but haven't scheduled yet. |
|
https://github.blog/changelog/2021-05-21-dependabot-version-updates-can-now-ignore-major-minor-patch-releases/ is the official release of this feature (though you all have been using it all week ;) Thanks for the patience with us on getting this shipped, as well as the feedback along the way. It's much appreciated. I'm going to close this issue--if you've got additional issues or feature requests, please file the appropriate issue on this repo and we'll get to it soon! |
|
Now this: #2511 |
|
Im using this feature now but im getting "weird" responses. I have a very basic configuration overall to only allow patches on semver: version: 2
updates:
- package-ecosystem: composer
directory: /
target-branch: develop
schedule:
interval: weekly
versioning-strategy: increase-if-necessary
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-minor", "version-update:semver-major"]The thing is that im receiving these PRs:
Below is the log output. Is there anything that im missing here or? Maybe @asciimike knows? Is this due the fact im using both major and minor? |
|
@pimjansen interesting, it should have some logs around ignoring versions (e.g. saying "foo is being ignored"). Would you mind removing |
I tried but it fails with an error that auto is not a valid value though. Using composer as a package manager so guess it is or not implemented or wrong in docs. Since when i checked code the auto is not flagged as valid value |
|
Odd, as you say, according to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#versioning-strategy it should be supported for |
Thanks, will also add some extra logs. Im using this extension though. https://github.com/tinglesoftware/dependabot-azure-devops Since there is no native integration for AzureDevops, this plugins seems the easiest way to go. Overall it boots the latest core docker image. |
|
@pimjansen if you're able to provide the org/repo as well, we can pull logs. If it's private/you don't want to share, feel free to email me at my username at github dot com. |
It is not on Github so that would be hard. Let me copy the package files to a public repo and run it via actions to see if it handles the same |
|
@asciimike i added a repo on Github but no idea how i can trigger it manually though to do a full run. I see that 3 PRs are raised but those are security. Can you review that maybe? Like mentioned earlier, since there is no native integration for DevOPS we use this layer (which is also available as extension like Github actions). https://github.com/tinglesoftware/dependabot-azure-devops |
|
@pimjansen Have you confirmed whether the |
From which version is it in? The latest image there should be at 0.149.1 though which is just a few days old |
|
@asciimike confirmed with the lib that not all was sent properly upstream to Dependabot. Sorry for all the noise. |
|
We are using the github dependabot bot and event though we have configured it not to ignore major version bumps (https://github.com/lensapp/lens/blob/master/.dependabot/config.yml#L18-L21), we still are seeing them lensapp/lens#3019. That PR is 9 hours old, and the config was changes 16 days ago. Any help would be appreciated. |
@Nokel81 I would try following the syntax as described in the docs, in other words: |
|
Okay will do |
|
Actually i think the docs reflect it as string as well and not as object: update-types: Vs update-types: However best to align 1 on 1 with the docs though |
|
The actual problem was that I hadn't quoted the |
dependabot/dependabot-core#2219 (comment) Signed-off-by: Lucas Larson <LucasLarson@riseup.net>
and others
For organizations with many projects sometimes it is hard to keep track of all the dependency updates. I would like to get only updates for major & security releases (opt-out from minor and patch versions), configurable per project.
The text was updated successfully, but these errors were encountered: