Open v1sion opened 4 years ago
@v1sion it tricky to make this a straight forward option in core as you have to provide all the security advisories yourself when self-hosting dependabot-core. You could achieve the same by checking that the updated versions are fixing a SecurityAdvisory.
@v1sion, I haven't tried this myself yet, but you could try setting allowed_updates
, and setting update_type to "security". Like this:
version: 1
update_configs:
- package_manager: "javascript"
directory: "/"
update_schedule: "daily"
allowed_updates:
- match:
update_type: "security"
From https://dependabot.com/docs/config-file/#allowed_updates
@nikolas I believe that only works with the github-hosted bot. I am working on something internally similar to what @feelepxyz mentioned, using https://github.com/rubysec/ruby-advisory-db and the github api, I pull the security vulnerabilities from the that repo, and massage the data to match what Dependabot::SecurityAdvisory
expects. Then I pass those into the checker.
https://gist.github.com/BobbyMcWho/3ce09bde5abb674e61092efbe7390ffb
I haven't 100% fleshed this out yet, since I'm having some issues with getting rails updated appropriately when there is a vulnerability in only 1 of its core gems.
For anyone landing here, you can set the open-pull-requests-limit to 0
so only security updates PRs will get created
☝️ is the currently recommended workaround.
This has been a consistently painful / non-intuitive user experience, so I'm sure we'll address it at some point.
Among other possible solutions, we've considered the idea of adding a schedule
type of security-updates-only
. So I updated the issue title to reflect that, but no promises if we'll got that route or another way to solve it.
Hey, kudos for the great work. In the dependabot hosted version (https://app.dependabot.com) I'm able to select PR's on "Only security updates" it would be nice if we could have the same feature here. Cheers