Open klaustopher opened 4 weeks ago
Seconding this: In fact, we find for JS at least, dependabot ignores the prefix setting in full for security updates, which is causing some issues in our process. At minimum, it should use the general prefix, but ideally allow a specific one.
Tesla also raised a ticket about this issue, where PR titles do not always honor the commit-message.prefix
value, but it does work for the commit message.
According to our docs: "prefix specifies a prefix for all commit messages and it will also be added to the start of the PR title."
Based on the screenshots shared by Tesla, we can see that PRs that resolve a Dependabot alert do not get the prefix:
While PRs that update a package's version without a Dependabot alert do:
dependabot.yaml
for reference:
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
target-branch: 'develop'
commit-message:
prefix: 'chore: EFPM-10618 '
open-pull-requests-limit: 10
rebase-strategy: 'disabled'
reviewers:
- 'digital-experience/grid-team'
schedule:
interval: 'monthly'
groups:
major:
update-types:
- 'major'
minor-and-patch:
update-types:
- 'minor'
- 'patch'
ignore:
- dependency-name: 'mocha'
- dependency-name: 'node'
- dependency-name: 'node-fetch'
- dependency-name: 'p-queue'
- dependency-name: 'yarn'
# Ignore only major updates
- dependency-name: '@types/chai'
update-types: ['version-update:semver-major']
- dependency-name: '@types/mocha'
update-types: ['version-update:semver-major']
- dependency-name: '@types/node'
update-types: ['version-update:semver-major']
- dependency-name: '@typescript-eslint/*'
update-types: ['version-update:semver-major']
- dependency-name: 'chai'
update-types: ['version-update:semver-major']
- dependency-name: 'eslint*'
update-types: ['version-update:semver-major']
Is there an existing issue for this?
Feature description
Currently we can define a
prefix
for all updates andprefix-development
for the updates of development dependencies. In our application we prefix the dependabot PRs using achore(deps)
prefix. In our release process, this triggers no special actionsFor security updates, we actually want the prefix to change to
fix(deps)
because this will trigger a bugfix release and directly forward a release to our customers. We currently do this manually by changing the PR title and then squash-merging the PR, but it would be great if dependabot automatically allowed prefixing security PRs with a custom prefix.