If a dependabot.yml file with a limited npm `allow` section exists all Security updates are disabled

[davidmurdoch]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

npm

Package manager version

6

Language version

16

Manifest location and content before the Dependabot update

No response

dependabot.yml content

Please see the documentation for all configuration options:

https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2 updates:

• package-ecosystem: "npm" directory: "/" # Location of package manifests schedule: interval: "daily" allow:
  • dependency-name: "ganache" reviewers:
  • "trufflesuite/truffle-core-devs"

Updated dependency

No response

What you expected to see, versus what you actually saw

Add a dependabot.yml to a project shouldn't change the behavior of the GitHub Dependency Security Settings, but it does.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Adding a dependabot.yml causes security updates to fail:

Smallest manifest that reproduces the issue

No response

[jeffwidman]

👋 I'm a little confused...

Dependabot PR's that fix security updates are also version update PR's and subject (with certain exceptions) to the configuration in dependabot.yml. Your example dependabot.yml file only allows updates to ganache... so PR's for all other dependencies can't be created. So I'm not really surprised that Dependabot complains that it can't create a version update PR for other deps like thenify...

How is this not working as expected?

[davidmurdoch]

It seems impossible to enable security updates while also enabling limited all-version update PRs via config.

I've consulted with 4 other engineers on this, each with over 10 years experience in software development, and none of them expected this behavior. My expectation seems like a reasonable default to me.

[haltman-at]

So how would one set the config to achieve the desired goal here, then? (Enabling the usual security updates but also enabling all-version updates for one particular package.) Is there any way to do so?

I should note in addition to what @davidmurdoch has said that a bunch of us looked at the documentation and, from the documentation, did not expect this behavior. If this is the intended behavior, the docs need to be a lot clearer on this point.

[jeffwidman]

So if i understand, what you want is the following:

1. enable security updates for all deps
2. enable non-security-related version updates for a subset of deps

Is that correct?

If so, I'm pretty sure there's a way to configure that, but I do agree in this case it's not clear at first glance how to do it... because I have to go look it up myself! 😄

[haltman-at]

Yup, that's the idea.

If you look at the documentation for allow, nowhere does it say that it in any way limits updates, that things outside of it are thereby disallowed; therefore I inferred that it allows you to turn other things on, and would not turn off the default behavior of getting security updates.

[dforesman]

Bumping this as it affects my organization, which has been using Dependabot for internal updates for years, and recently adopted Github Advanced Security.

We've been enjoying thousands of automated internal updates per year from our private NPM registry with Dependabot, but are now finding that the allow filtering that supports it is disabling security updates across our stack; an unacceptable outcome in our industry.

I agree with the posters in this thread who have described this behavior as counter-intuitive. In fact, it strikes me as such a fundamental oversight, I'm having trouble wrapping my head around it. If there is no way to filter out version updates without also filtering security updates, it leaves users either fundamentally insecure, or pummeled with constant version update PRs for every dependency in the project. It essentially removes the distinction between version updates and security updates, which strikes me as a bug.

To make matters worse - and further support that this is a bug - Dependabot itself reports 'No ignore conditions found' when queried for the packages that are being blocked from security updates.

1. enable security updates for all deps
2. enable non-security-related version updates for a subset of deps

If so, I'm pretty sure there's a way to configure that, but I do agree in this case it's not clear at first glance how to do it... because I have to go look it up myself! 😄

@jeffwidman were you ever able to find a viable way to configure this behavior? For myself, my organization, and every engineer I've talked to, this scenario is the core use-case for Dependabot.