dependabot
Allow Dependabot to be configured to ONLY create PRs for private registry updates
I'd like for Dependabot to ONLY create the following PRs:
- All security updates
- Updates (major, minor, patch) for dependencies in the
mycompanyregistry.
Given the following logic currently supporting the dependabot.yml file, that does not see possible:
By default all dependencies that are explicitly defined in a manifest or lock file are kept up to date. You can use allow and ignore to customize which dependencies to maintain with version updates. Dependabot checks for all allowed dependencies and then filters out any ignored dependencies or versions. So a dependency that is matched by both an allow and an ignore will be ignored.
I'm thinking that perhaps if allow and ignore had a registries prop, allowing you to allow/ignore dependencies in registries, that would get what I'm looking for. Although, since ignore takes precedence over allow, it would require the ability to reference default (public) registries. Maybe something like this:
version: 2
registries:
mycompany:
type: npm-registry
url: 'https://npm.pkg.github.com'
updates:
- package-ecosystem: 'npm'
directory: '/'
registries:
- 'mycompany'
schedule:
interval: 'daily'
ignore:
- registries: ['public']
This is something we are looking for as well. One use case is if you want to maintain an internal/private repository where all packages are pre-scanned for vulnerabilities, and only scanned packages are available.
We added some more features around this, and now even document specifically how to restrict Dependabot to only access private registries.
