Open rhyskoedijk opened 2 weeks ago
It looks like @jakecoffman proposed something similar to what I'm looking for in https://github.com/dependabot/cli/pull/325. Is there anything I could do to help with this? It sounds like a change might be needed to dependabot-core first which is maybe why this has stalled?
I'm trying to convert tinglesoftware/dependabot-azure-devops over to CLI, which currently uses the
dry-run.rb
andupdater
scripts to perform updates.Everything works well so far using the CLI, except for security-only updates. I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in
input.yaml
, but you don't know what the dependencies are until you've already run adependabot update
first and parsed the dependency list fromoutput.yaml
.For example:
Do you have any advise on how I could solve this problem? It would be ideal if there was a command like
dependabot fetch --run-discovery
, that was able return the "dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?The only way I can currently work around this issue is to do two "updates"; First with
security-updates-only: false
so I can parse the discovered dependency list, then a 2nd update withsecurity-updates-only: true
and thedependencies
list populated.