I use Dependabot in Azure DevOps and I get a flood of PRs created by dependabot for hotfix / patches. So, to be clear, updates related to x.y.z (many for z).
I don't want this to happen and I want to update only when a minor update is available (y).
I tried many, many different configurations but I cannot obtain this.
I've read the docs and this should be the proper way (here's .github/dependabot.yaml):
version: 2
updates:
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "daily"
target-branch: "develop"
allow:
- dependency-type: "direct"
update-types:
- "major"
- "minor"
But I still get requests to update spring boot from 3.3.4 to 3.3.5. What am I doing wrong?
Based on your requirement, you need to prevent dependabot from creating PRs for patch update.
To meet your requirement, you can use the ignore keyword to exclude all patch versions.
Defintiion sample:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
ignore:
- dependency-name: "express"
# For Express, ignore all Dependabot updates for version 4 and 5
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
# For AWS SDK, ignore all patch updates for version updates only
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-patch"]
Here is an example:
version: 2
updates:
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "daily"
target-branch: "develop"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
For more detailed info, you can refer to this doc: dependabot ignore