Hi Volkan, On Mon, 6 Feb 2023 at 08:55, Volkan Yazıcı <vol...@yazi.ci> wrote: > > You can configure dependabot to ignore certain major versions or update > types > <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore> > : > > ... > > Doesn't this help you with your concern?
That is exactly what I have done: https://github.com/ppkarwasz/logging-log4j2/blob/2.x/.github/dependabot.yml My main concern is: * is this list (mostly) complete? * for some dependencies (e.g. `slf4j-api`) we use multiple (1.7.25, latest 1.7.x and latest 2.x) versions depending on the module. I'll let Dependabot run for a couple of weeks on my fork, before submitting a PR to the main repo. Piotr
