LibraryManager icon indicating copy to clipboard operation
LibraryManager copied to clipboard
verified publisher icon aspnet

Dependabot for LibMan

Open VahidN opened this issue 1 year ago • 4 comments

It would be nice to have a new dependabot package ecosystem for Library Manager. This would be relatively easy for dependabot to just look at an additional file (libman.json).

VahidN avatar Nov 21 '24 05:11 VahidN

Maybe instead: https://github.com/aspnet/LibraryManager/issues/803.

Piedone avatar Oct 22 '25 14:10 Piedone

While not integrated with dependabot, I did a side project to create a package that scans libman.json and looks for advisories in the GHSA database: https://www.nuget.org/packages/Libman.Audit

Dependabot integration would be better :)

jimmylewis avatar Oct 22 '25 17:10 jimmylewis

BTW in Renovate, which is similar to Dependabot (but I think better) you can create configs with custom regex patterns to keep libman.json dependencies up to date.

Piedone avatar Oct 22 '25 19:10 Piedone

We've done this with Renovate here: https://github.com/Lombiq/renovate-config/blob/15eff26a7ae9191fce39c26d3e11de051bcd0e96/default.json5#L65-L91 Renovate configured to automatically update LibMan package references.

Piedone avatar Dec 09 '25 19:12 Piedone