Open an issue instead of a PR when a new release of a package comes out

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.62k stars 987 forks source link

Open an issue instead of a PR when a new release of a package comes out #2242

Open connorshea opened 6 years ago

connorshea commented 6 years ago

So I have a project called mdn-compat-data-explorer, and it uses an npm package called mdn-browser-compat-data.

The package is heavily integrated into the project, so dependabot opening a PR isn't very useful as simply updating the package won't work and the tests will fail. When I update the package, I have to do a bunch of other stuff manually, like regenerating the JSON data file.

So in this case, it'd be nice if dependabot could open an issue to tell me that the package was updated rather than opening a PR that'll fail anyway.

greysteil commented 6 years ago

I've had this suggested before, and I like the idea of a @dependabot convert to issue command. Shouldn't take too long to implement, although I have a few bugs to crush first.

Thanks for the feedback! 🙏

nesl247 commented 6 years ago

I haven't tested the "lock file updates only" feature yet, but if it doesn't do this, this may be a great way to support that feature, while also letting engineers know about newer releases.

feelepxyz commented 5 years ago

Feedback from https://github.com/dependabot/feedback/issues/380

I have opted out from dependabot some time ago but I'm still need some kind of notifications :) Is it possible to configure dependabot to create issues about available updates instead of pull requests?

merwok commented 5 years ago

This would be a great setting. For some of our project, we really only want the core value of dependabot that is knowing that updates exist, with changelog and links, in order to request support budget from clients. The pull requests provide this but also eat our CI quota for small benefit, as we may wait a few weeks before being able to properly review and test the updates.

waghanza commented 5 years ago

@greysteil any news ?

att14 commented 2 years ago

It would be super useful if when dependabot cannot create a PR for the alert that it created an issue instead, so it can be assigned to a specific person.

If creating tickets automatically is hard, could you add a button that copies the markdown of the alert when viewing it from Security > Dependabot alerts?

illegalnumbers commented 7 months ago

Is this still not available 6 years later? Why even is this issue open then if no one cares?

MichaMican commented 4 months ago

Any update on this?

marchershey commented 4 months ago

It kind of blows my mind that blindly pushing version upgrades is acceptable. I've always checked the changelog of each dependency before pushing any upgrades, so having dependabot create an issue instead is such a great idea.

...but 6 years with no talk about adding it seems like it's never going to happen.