Dependabot updating dependencies from wrong package manager #2965
Comments
|
Also the Dependabot tab on the repo is only showing Python, so it's very odd why it's updating Java dependencies as well. |
|
I'm also getting npm/yarn updates for a repository where only gomod and docker updates are enabled. |
|
@amogkam it looks like those PRs are from Dependabot security updates which where generated from the dependabot alert page under the repository security tab. You can also disable automated security updates from the repo settings > security & analysis page (or for all repos from org settings > security & analysis settings). We're aware of the issue between configuring version updates (config file only) which run on a schedule and security updates (triggered from dependabot alerts, both manually for old alerts and automatically when new alerts are found on the repo). We have some plans to improve this in the future. |
|
@feelepxyz are Dependabot security updates automatically enabled? We never enabled it manually. |
|
Also, these security update PRs are still considered as part of the 3 open PRs quota that we have set in the dependabot.yaml file. Is that expected? Or are security updates supposed to be completely separate from version updates? |
|
Ah @feelepxyz never mind about it being automatically enabled. Looks like someone from our side triggered the security update PRs. |
No not currently, there's a separate open pull request limit (10) that only applies to automatically opened security updates, you can create any number of security updates if you trigger them manually. |
Changes since 7.7.4: https://github.com/npm/cli/blob/latest/CHANGELOG.md ## v7.10.0 (2021-04-15) ### FEATURES * [`f9b639eb6`](npm/cli@f9b639e) [#3052](npm/cli#3052) feat(bugs): fall back to email if provided ([@Yash-Singh1](https://github.com/Yash-Singh1)) * [`8c9e24778`](npm/cli@8c9e247) [#3055](npm/cli#3055) feat(version): add workspace support ([@wraithgar](https://github.com/wraithgar)) ### DEPENDENCIES * [`f1e6743a6`](npm/cli@f1e6743) `libnpmversion@1.2.0` * feat(retrieve-tag): retrieve unannotated git tags * fix(retrieve-tag): use semver to look for semver * [`3b476a24c`](npm/cli@3b476a2) `@npmcl/git@2.0.8` * fix(git): do not use shell when calling git * [`dfcd0c1e2`](npm/cli@dfcd0c1) [#3069](npm/cli#3069) `tap@15.0.2` ### DOCUMENTATION * [`90b61eda9`](npm/cli@90b61ed) [#3053](npm/cli#3053) fix(contributing.md): explicitely outline dep updates ([@darcyclarke](https://github.com/darcyclarke)) ## v7.9.0 (2021-04-08) ### FEATURES * [`1f3e88eba`](npm/cli@1f3e88e) [#3032](npm/cli#3032) feat(dist-tag): add workspace support ([@nlf](https://github.com/nlf)) * [`6e31df4e7`](npm/cli@6e31df4) [#3033](npm/cli#3033) feat(pack): add workspace support ([@wraithgar](https://github.com/wraithgar)) ### DEPENDENCIES * [`ba4f7fea8`](npm/cli@ba4f7fe) `licensee@8.2.0` ## v7.8.0 (2021-04-01) ### FEATURES * [`8bcc5d73f`](npm/cli@8bcc5d7) [#2972](npm/cli#2972) feat(workspaces): add repo and docs ([@wraithgar](https://github.com/wraithgar)) * [`ec520ce32`](npm/cli@ec520ce) [#2998](npm/cli#2998) feat(set-script): implement workspaces * [`32717a60e`](npm/cli@32717a6) [#3001](npm/cli#3001) feat(view): add workspace support ([@wraithgar](https://github.com/wraithgar)) * [`7b177e43f`](npm/cli@7b177e4) [#3014](npm/cli#3014) feat(config): add 'envExport' flag ([@isaacs](https://github.com/isaacs)) ### BUG FIXES * [`4c4252348`](npm/cli@4c42523) [#3016](npm/cli#3016) fix(usage): specify the key each time for multiples ([@isaacs](https://github.com/isaacs)) * [`9237d375b`](npm/cli@9237d37) [#3013](npm/cli#3013) fix(docs): add workspaces configuration ([@wraithgar](https://github.com/wraithgar)) * [`cb6eb0d20`](npm/cli@cb6eb0d) [#3015](npm/cli#3015) fix(ERESOLVE): better errors when current is missing ([@isaacs](https://github.com/isaacs)) ### DEPENDENCIES * [`61da39beb`](npm/cli@61da39b) `@npmcli/config@2.1.0` * feat(config): add support for envExport:false * [`fb095a708`](npm/cli@fb095a7) `@npmcli/arborist@2.3.0`: * [#2896](npm/cli#2896) Provide currentEdge in ERESOLVE if known, and address self-linking edge case. * Add/remove dependencies to/from workspaces when set, not root project * Only reify the portions of the dependency graph identified by the `workspace` configuration value. * Do not recursively `chown` the project root path. ## v7.7.6 (2021-03-29) ### BUG FIXES * [`9dd2ed518`](npm/cli@9dd2ed5) fix empty newline printed to stderr ([@ruyadorno](https://github.com/ruyadorno)) * [`9d391462a`](npm/cli@9d39146) [#2973](npm/cli#2973) fix spelling in workspaces.md file ([@sethomas](https://github.com/sethomas)) * [`4b100249a`](npm/cli@4b10024) [#2979](npm/cli#2979) change 'maxsockets' default value back to 15 ([@wallrat](https://github.com/wallrat)) ### DEPENDENCIES * [`a28f89572`](npm/cli@a28f895) `libnpmversion@1.1.0` * fix reading `script-shell` config on `npm version` lifecycle scripts * [`03734c29e`](npm/cli@03734c2) `npm-packlist@2.1.5` * fix packaging `bundledDependencies` * [`80ce2a019`](npm/cli@80ce2a0) `@npmcli/metavuln-calculator@1.1.1` * fix error auditing package documents with missing dependencies ## v7.7.5 (2021-03-25) ### BUG FIXES * [`95ba87622`](npm/cli@95ba876) [#2949](npm/cli#2949) fix handling manual indexes in `npm help` ([@dmchurch](https://github.com/dmchurch)) * [`59cf37962`](npm/cli@59cf379) [#2958](npm/cli#2958) always set `npm.command` to canonical command name ([@isaacs](https://github.com/isaacs)) * [`1415b4bde`](npm/cli@1415b4b) [#2964](npm/cli#2964) fix(config): properly translate user-agent ([@wraithgar](https://github.com/wraithgar)) * [`59271936d`](npm/cli@5927193) [#2965](npm/cli#2965) fix(config): tie save-exact/save-prefix together ([@wraithgar](https://github.com/wraithgar)) ### TESTS * [`97b415287`](npm/cli@97b4152) [#2959](npm/cli#2959) add smoke tests ([@ruyadorno](https://github.com/ruyadorno))
We have recently added Dependabot for our repo and want to do pip updates only, but Dependabot is updating Java dependencies as well even though this is not configured.
Our dependabot.yml file looks like this:
Only pip updates should be setup, but Dependabot has been creating PRs for Java updates and in a different directory than what's specified here.
ray-project/ray#13316
ray-project/ray#13317
Is there anything that's wrong with our yaml file? If Java package manager is not configured I would expect Dependabot not to make any PRs to update the Java dependencies.
The text was updated successfully, but these errors were encountered: