How can Dependabot be configured to focus exclusively on security updates?

[SatheeshS-optym]

I know currently dependabot v2 supports version update alone and my plan is to use dependabot for security updates. So, I have downgraded the dependabot version to v1 and while running dependabot with option useUpdateScriptvNext: true for .Net. It created PR for transitive package Microsoft.IdentityModel.JsonWebTokens from 7.0.0 to 7.1.2 but in our code, I'm already using version 8.1.2 which means dependabot tries to downgrade the version here. I have already seen the similar bug in https://github.com/tinglesoftware/dependabot-azure-devops/issues/1247 and want to know for security updates whether I should go ahead with option useUpdateScriptvNext: false or not.

Also, please let me know what will be the ETA for security updates in dependabot v2. Because v2 worked fine for us in version update with almost all the github dependabot options.

Nuget PR:-

package.lock.json

dependabot.yml

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: /Engine
    labels:
      - "nuget"
      - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "nuget"
      prefix-development: "nuget"
      include: "scope-and-version"
      separator: "-"
    groups:
      nuget:
        patterns:
          - "*"

  - package-ecosystem: "npm"
    directories:
    - /Backend/**/*
    - /Frontend/
    - /Shared/
    labels:
    - "npm"
    - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "npm"
      prefix-development: "npm"
      include: "scope-and-version"
      separator: "-"
    groups:
      npm:
        patterns:
          - "*"  

  - package-ecosystem: "pip"
    directories:
    - /deployment/db-deploy-script
    - /Utility/PythonScripts/
    labels:
    - "pip"
    - "dependencies"
    open-pull-requests-limit: 0
    commit-message:
      prefix: "pip"
      prefix-development: "pip"
      include: "scope-and-version"
      separator: "-"
    groups:
      pip:
        patterns:
          - "*"  

dependabot-pipeline.yaml

trigger: none

pool:
 vmImage: ubuntu-latest

jobs:
  - job: Dependabot
    displayName: Dependabot Execution
    timeoutInMinutes: 120
    steps:
    - script: |
        sudo cp -r $(Build.SourcesDirectory)/.azuredevops/ /.azuredevops/
      displayName: Move Dependabot file

    - task: dependabot@1
      inputs:
        azureDevOpsAccessToken: '$(System.AccessToken)'
        gitHubAccessToken: '$(GITHUB_ACCESS_TOKEN)'
        useUpdateScriptvNext: true
        extraEnvironmentVariables: "DEPENDABOT_AUTHOR_EMAIL=example@domain.com;DEPENDABOT_AUTHOR_NAME=example;DEPENDABOT_SECURITY_UPDATES_ONLY=true"
      displayName: Run Dependabot 

[rhyskoedijk]

@SatheeshS-optym it's hard to say what the cause is without seeing a copy of the task output logs; they would show why Dependabot decided to downgrade the dependency.

I can say that there are known issues in dependabot-core for the NuGet ecosystem around transitive dependencies, central package manager, package locks, and large grouped updates (i.e. pattern: *). So any one of these could be contributing to your issue.

If you are able to provide the relevant logs of this package update from your task log, I can investigate further.

Regarding support for security-only updates:

• Using task V1 with useUpdateScriptvNext: false will likely give the least accurate results as it doesn't use the dependabot-core updater to perform updates;
• Using task V1 with useUpdateScriptvNext: true will likely give the most accurate results currently (albeit, not perfect);
• Using task V2 does not support security-only updates yet, but is being worked on in https://github.com/tinglesoftware/dependabot-azure-devops/pull/1394

There is no firm ETA on security-only update support for V2; I'm working on it and hope to have a first release of this ready before the end of the year.

[SatheeshS-optym]

@rhyskoedijk Thanks for the detailed comments. It helped me to understand more about the dependabot related to security updates. I'm using central package manager file (Directory.Packages.props) in .NET application and I have attached the complete log file and dependabot.yml file which I used on this specific run. Also, we are waiting to use dependabot v2 for security updates. Hoping it will be rolled out soon.

dependabot.yml.txt 5_Run Dependabot.txt