You can configure dependabot to ignore certain major versions or update
types
<https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore>
:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
ignore:
- dependency-name: "express"
# For Express, ignore all updates for version 4 and 5
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
# For AWS SDK, ignore all patch updates
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-patch"]
Doesn't this help you with your concern?
On Sun, Feb 5, 2023 at 10:23 PM Piotr P. Karwasz <piotr.karw...@gmail.com>
wrote:
> Hi Volkan,
>
> On Sun, 5 Feb 2023 at 21:02, Volkan Yazıcı <vol...@yazi.ci> wrote:
> > Let me also state that I don't have this problem in projects where
> > dependabot PRs are merged automatically, e.g., `log4j-tools`. PR comes
> in,
> > `verify` succeeds, PR gets merged, and I see this beautiful interaction
> in
> > my inbox. This simply puts a smile on my face, or when `verify` fails, a
> > frowning look to check what went wrong.
>
> Yes, that is a very nice configuration you have in `log4j-tools`.
>
> I am testing it in my `logging-log4j2` fork to see if all exclusions
> are right: there are many dependencies that we don't want to bump to
> the latest version.
>
> Piotr
>
