feature request: auto-merge in-range updates

[christopherthielen]

I'm using dependabot for javascript.

Feature Request:

I'd like the ability to auto-merge any in-range updates. It would be even better if those in-range updates could be consolidated into a single PR.

I want to have two workflows with dependabot:

• In range updates: auto-merge (assuming CI passes). I assume the changes will not break my app. However, I'd like CI to run to verify this. After CI passes, I want my package.json and yarn.lock file updated and committed.
• Out of range updates: Run CI, but do not auto-merge. I need to manually check breaking changes.

Additional thoughts

Dependency updates can be categorized in a few different ways:

1) in-range (matches the package.json semver) 2) out-of-range 3) minor 4) patch 3) dev deps 4) normal deps 5) security 6) something else that I haven't thought of

Matrix?

Maybe these could be seen as a matrix:

-	In range	Out of range	Minor	Patch	Security
Normal deps	X				X
Dev deps	X				X

I could pick and choose which matrix elements I want auto-merged

Tags?

Maybe each PR could get Tags which categorize the update type. The tags could be real github tags, or dependabot only (I don't think it really matters):

Example PR with tags:

build(deps): bump yargs from 11.0.0 to 12.0.1 [Development] [OutOfRange] [Major]

Then maybe I can create a set of auto-merge combinations:

• Automerge this combination: [OutOfRange] + [Development Dep]
• Automerge this combination: [InRange] + [Development Dep]
• Automerge this combination: [Security] + [Development Dep]
• Automerge this combination: [Security] + [InRange] + [Normal Dep]

...but that might be overcomplicating things.

Looking forward to your feedback

[greysteil]

Thanks for the feedback @christopherthielen!

Did you already see the automerge options Dependabot currently has? If you click to edit one of your update configs, or look in the advanced options section when adding a new language, you can ask Dependabot to automerge patch, security, minor or all updates, differentiating between dev and runtime dependencies. You can also specify working hours to do the automerging in (we only released that yesterday).

[christopherthielen]

Hi @greysteil thanks for the quick reply! Yes, I am familiar with the options for auto-merge. My main request is to add "in-range updates" to the list of auto-merge options. Essentially, I want dependabot to run yarn upgrade on my repository and commit the changes if CI is successful.

---

The problem with the existing options such as "minor" or "patch" or "security" is that many dependencies do not conform to semver. Additionally, semver itself has oddities such as packages that start with "0.3.x" as opposed to "3.0.0".

In the case of projects which don't follow semver (even huge projects such as typescript), breaking changes occur in the minor releases, i.e. "1.7.x" -> "1.8.x".

For the "0.3.x" cases, a "minor" version bump actually indicates a breaking change release (of a pre-release software), so I have little confidence in auto-merging on "minor" versions.

In any case, my semver ranges in package.json indicate the versions that I'm comfortable automatically merging updates for (and these ranges are never "all patch versions" or "all minor versions").

---

The remainder of my original issue comment is musings about how to possibly support multiple choices for auto-merging. For example, I want to auto-merge both security updates and in-range updates.

[greysteil]

Interesting, thanks for the extra detail.

I think this is a good idea - I'll take a look at implementing it.

BTW, Dependabot won't automerge pre-1.0.0 dependencies or anything else that clearly doesn't follow SemVer (like CalVer dependencies), but tricky deps like typescript do pose a problem.

[greysteil]

Shipped! 🚢

[schoenwaldnils]

Where can I find this option?

[feelepxyz]

@schoenwaldnils it's currently in private beta but happy to add your account! Which github account do you want it enabled for?