Open mmunro-ltrr opened 1 month ago
The dependabot.yml
file can constrain version number bumps, for example by forbidding major version number upgrades within a group, but some npm packages advance their version numbers much more rapidly than others, so something more fine-grained is required. Before Dependabot was grouping its upgrades, the usual way to control it was through comments on the individual pull requests, so before hard-coding constraints in the config file, experiments with comments following the
@dependabot ignore DEPENDENCY_NAME major version
pattern should show if targeting specific dependencies within the group will work.
Problem/Motivation
Dependabot's grouped pull requests for dependencies currently include some unwanted version number bumps.
Describe the bug
Now that Dependabot produces pull requests that group several different dependency version bumps, there is almost always one unwanted upgrade that invalidates the entire PR.
To Reproduce
Review recent Dependabot PRs that have attempted an eslint 9 upgrade.
Proposed resolution
Introduce more version number constraints for the upgrades that Dependabot and ncu are suggesting.
Expected behavior
Most Dependabot PRs are suitable for merging.