Are security-only updates supported?

[304NotModified]

Hi,

We like to use this great extension for our security updates on Azure Devops Services. Is it possible to only create pull requests for security updates?

We tried with dependency-type":"security" - found on https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/src/script/update-script.rb#L173

But it gives always: not allowed, e.g:

Checking if gulp-scss-lint  needs updating
Requirements to unlock own
Updating gulp-scss-lint is not allowed

Tested with gulp-scss-lint 0.7.2 (link to GitHub security database) and log4net 2.0.9 (link to GitHub security database)

full yaml:

trigger: none # Disable CI trigger

schedules:
- cron: '0 2 * * *' # daily at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - master
      - main
  batch: true
  displayName: Daily

# variables declared below can be put in one or more Variable Groups for sharing across pipelines
variables:
  DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":".*","dependency-type":"security"}]' # packages allowed to be updated

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  inputs:
    useConfigFile: true

full package.json:

{
  "name": "Sample frontend",
  "version": "0.1.0",
  "private": true,
  "scripts": {},
  "dependencies": {
    "axios": "^0.21.0",
    "core-js": "^3.6.5",
    "guid-typescript": "^1.0.9",
    "vee-validate": "^3.4.5",
    "vue": "^2.6.11",
    "vue-cleave-component": "^2.1.3",
    "vuex": "^3.6.2",
    "gulp-scss-lint": "0.7.2"
  },
  "devDependencies": {
    "@types/jest": "^24.0.19",
    "@typescript-eslint/eslint-plugin": "^2.33.0",
    "@typescript-eslint/parser": "^2.33.0",
    "@vue/cli-plugin-babel": "~4.5.0",
    "@vue/cli-plugin-eslint": "~4.5.0",
    "@vue/cli-plugin-typescript": "~4.5.0",
    "@vue/cli-plugin-unit-jest": "~4.5.0",
    "@vue/cli-service": "~4.5.0",
    "@vue/eslint-config-prettier": "^6.0.0",
    "@vue/eslint-config-typescript": "^5.0.2",
    "@vue/test-utils": "^1.0.3",
    "copy-modules-webpack-plugin": "^2.1.1",
    "eslint": "^6.7.2",
    "eslint-plugin-prettier": "^3.1.3",
    "eslint-plugin-vue": "^6.2.2",
    "flush-promises": "^1.0.2",
    "jest-junit": "^12.0.0",
    "lint-staged": "^9.5.0",
    "prettier": "^1.19.1",
    "sass": "^1.26.5",
    "sass-loader": "^8.0.2",
    "typescript": "~3.9.3",
    "vue-svg-loader": "^0.16.0",
    "vue-template-compiler": "^2.6.11"
  }
}

[304NotModified]

polite bump @mburumaxwell

[mburumaxwell]

@304NotModified

We have not added full support for security updates only but PRs are always welcome. 🙂

However, changing the lines you referenced may not produce the results you desire. I suggest looking at the following:

1. https://github.com/dependabot/dependabot-core/blob/7f03508df305a9fb44b188ead5cb4fb360471ab8/bin/dry-run.rb#L533-L534
2. https://github.com/dependabot/dependabot-core/blob/7f03508df305a9fb44b188ead5cb4fb360471ab8/bin/dry-run.rb#L613

[304NotModified]

Do you mean we have to port these lines or use that script instead of this plugin?

[mburumaxwell]

Porting the lines and any other related ones should do because our script borrows heavily from the test one in the parent repository.

[mizevkon]

According to update-script.rb#L314 it allows security updates even if dependency is outside of allow list, so you can do a bit of hack with: DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":"a1","dependency-type":"all"}]' # specify any non-existing package name, so it will ignore everything but still allow security updates

[pciarach]

Hello @mburumaxwell, why did you close it as 'not planned'? I think that this enhancement would be very useful. Even if you don't have time, maybe there will be someone brave enough to try to submit PR ;)

[304NotModified]

I think this feature is a must have.

We tried changing the ruby script in the past, but unfortunately you really need some Ruby skills.