Add a `schedule` type of `security-updates-only` so Dependabot only creates PR's for security updates

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.63k stars 992 forks source link

Add a `schedule` type of `security-updates-only` so Dependabot only creates PR's for security updates #1828

Open v1sion opened 4 years ago

v1sion commented 4 years ago

Hey, kudos for the great work. In the dependabot hosted version (https://app.dependabot.com) I'm able to select PR's on "Only security updates" it would be nice if we could have the same feature here. Cheers

feelepxyz commented 4 years ago

@v1sion it tricky to make this a straight forward option in core as you have to provide all the security advisories yourself when self-hosting dependabot-core. You could achieve the same by checking that the updated versions are fixing a SecurityAdvisory.

nikolas commented 4 years ago

@v1sion, I haven't tried this myself yet, but you could try setting allowed_updates, and setting update_type to "security". Like this:

version: 1
update_configs:
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "daily"
    allowed_updates:
      - match:
          update_type: "security"

From https://dependabot.com/docs/config-file/#allowed_updates

BobbyMcWho commented 4 years ago

@nikolas I believe that only works with the github-hosted bot. I am working on something internally similar to what @feelepxyz mentioned, using https://github.com/rubysec/ruby-advisory-db and the github api, I pull the security vulnerabilities from the that repo, and massage the data to match what Dependabot::SecurityAdvisory expects. Then I pass those into the checker.

https://gist.github.com/BobbyMcWho/3ce09bde5abb674e61092efbe7390ffb

I haven't 100% fleshed this out yet, since I'm having some issues with getting rails updated appropriately when there is a vulnerability in only 1 of its core gems.

konsalex commented 1 year ago

For anyone landing here, you can set the open-pull-requests-limit to 0 so only security updates PRs will get created

jeffwidman commented 1 year ago

☝️ is the currently recommended workaround.

This has been a consistently painful / non-intuitive user experience, so I'm sure we'll address it at some point.

Among other possible solutions, we've considered the idea of adding a schedule type of security-updates-only. So I updated the issue title to reflect that, but no promises if we'll got that route or another way to solve it.