[composer php] Dependabot updates too many dependencies even with `versioning-strategy: increase-if-necessary`

[nikophil]

Hi,

we would like to update with dependabot only our private libraries, but it seems dependabot calls composer update with option --with-all-dependencies. Thus, we have a lot of libraries updated instead of just the single one(s) that we would like.

Is there a way to remove this option?

thanks a lot.

[asciimike]

I assume this is to minimize the number of update-not-possible type errors where we update one dependency but it then ends up violating some constraint its dependencies have. I assume for internal libraries this is less of a concern though.

I assume versioning-strategy is close to what you're looking for, but potentially not quite right?

[nikophil]

Hello @asciimike ,

thanks for your answer. Indeed for internal libs, the option is less required I think.

I've trieed with versioning-strategy: increase-if-necessary which sounds the stricter, but I still have multiple dependencies up to date.

[inxilpro]

I just bumped into this as well. Did you ever figure out a better config option or are you just living with it?

[jurre]

Are you saying you just don't want any PRs to be opened for non-private dependencies? If so, you'll probably want to ignore the other dependencies that you have

[inxilpro]

No—it's just that the dependabot PRs include updates to additional composer packages, not just the one in the title. (And additional packages aren't required for the update.) I'd like to limit the scope of each PR as much as possible—to just update a single dependency (or as close to that as possible).

[inxilpro]

For example, today we have a PR to update propaganistas/laravel-phone from 4.3.0 to 4.3.1. If you look at the diff between 4.3.0 and 4.3.1 you can see that there are no changes in that package's dependencies. But the changes to our composer.lock file in the dependabot PR would include:

• Bumpinglaravel/framework from 8.51.0 to 8.52.0
• Bumping league/commonmark from 2.0.0 to 2.0.1
• Bumping ramsey/collection from 1.1.3 to 1.1.4
• …and changes to about 10-15 other dependencies

[asciimike]

Would you mind linking me a PR which does this so I can take a look (or reaching out to support if you'd prefer not to share it publicly)? Would you also mind rebasing it to see if it looks like what you expect? Often what happens is that between the time we start the update and create the PR, other changes can get included in the diff, creating the appearance of multiple dependencies getting updated.

[trevorgehman]

I'm also seeing the same behavior. It's difficult because a minor dependency bump ends up also upgrading laravel/framework, for example.

[convenient]

As of this release https://blog.packagist.com/composer-2-7-and-cve-2024-24821/

We added a new --minimal-changes (-m) flag to composer update, require, and remove. The option can be combined with --with-dependencies or --with-all-dependencies to perform a partial update of only the listed packages and their dependencies while only performing version changes or additional installations/removals of their dependencies when absolutely necessary to update the listed packages to their latest installable versions, rather than updating all of them to the latest possible versions.

I think its possible that --minimal-changes is a good shout that could help solve this problem.