Add an option to ignore changes to manifest file until next scheduled bump #13900
Unanswered
fonji
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
If a change is made to a file like
Gemfile.lock
oryarn.lock
, and that change is not the result of a merged dependabot pull request, dependabot re-bumps outside of the schedule.I'd like to avoid that (except for security fixes of course).
Our current flow makes us create a common PR for each batch of dependabot updates, and then merge that one in the default branch after QA approval.
Which then creates a new bump, not for security reasons. Nice loop we got there 😅
So I'd like an option to tell dependabot to stick to scheduled (I.E. monthly) bumps and not to care if we change the
.lock
file outside its PRs.Have a nice day!
Beta Was this translation helpful? Give feedback.
All reactions