Security updates ignoring target-branch configuration

[ghost]

With the following dependabot.yml:

version: 2
updates:
  # Updates for JS
  - package-ecosystem: "npm"
    directory: "/client"
    schedule:
      interval: "daily"
    target-branch: "develop"

  - package-ecosystem: "npm"
    directory: "/deployment"
    schedule:
      interval: "daily"
    target-branch: "develop"

  # Updates for Java
  - package-ecosystem: "gradle"
    directory: "/api"
    schedule:
      interval: "daily"
    target-branch: "develop"

Dependabot is creating PRs against master instead of develop as seen here:

even within the same directory as in:

[feelepxyz]

@pepperrone this is an issue between how Dependabot version updates (configured using the config file) and Security updates work, which you can enable from the Repository/Security tab or Repository/Settings/Security & analysis.

These two products do slightly different things as security updates responds to security alerts from the Dependency Graph which only knows about manifests on your default branch.

Thanks for raising this though as it's not something I've seen reported before. We're working on ways to allow configuring security updates using the config file and this is something we'll need to look into.

[Gicminos]

+1 It would be very nice to have a way to select the target-branch also for security pull requests. Or otherwise, a way on how to rebase a PR on a different target branch as described here: #2146 would be already good enough!

[ndrewtl]

Hi @feelepxyz are there any updates on this? There is clearly demand for this feature as seen here, in the issue @Gicminos mentioned, and in the reply to this StackOverflow message. It is a very common workflow for teams to have all updates pushed to a develop branch, which is only later merged into main. Introducing changes directly into main can cause ugly merge conflicts, which slow down the security update process rather than speed it up. If all else fails, could we have a separate configuration option to configure the branch for security update PR's? Thanks so much for maintaining and let us know if you have other thoughts

[feelepxyz]

@ndrewtl I'm no longer working on Dependabot so can't give a good answer to this unfortunately.

cc PM @exvuma

[gperiotto]

Hi all, any update on the status of this change? It would definitely be a welcomed one!

[jeffwidman]

While nothing has changed for supporting the target-branch config, I did want to drop some bread crumbs re: related docs for what is currently supported in case future searchers run across this issue while searching for something related:

• Support configuring allowed updates for security updates using config file #2521
• Dependabot ignores "pull-request-branch-name.separator" option #4940 (comment)
• https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file

[sunnylovestiramisu]

Is there any ongoing effort to work on this feature support?

[TG-MarioAlten]

Any news on this topic?
As stated above
"It is a very common workflow for teams to have all updates pushed to a develop branch, which is only later merged into main. Introducing changes directly into main can cause ugly merge conflicts, which slow down the security update process rather than speed it up"