Is it possible to create PR's only for security updates?

[v1sion]

Hey, kudos for the great work. Quick question, in the dependabot hosted version (https://app.dependabot.com) I'm able to select PR's on "Only security updates" is it possible to do the same here? Cheers

[sussexrick]

I've been trying to make this work all afternoon. I think the answer is that dependabot-script is not currently set up to do that, but if you change generic-update-script.rb line 161 from next if checker.up_to_date? to next unless checker.vulnerable? that should do it. This could be configured as an environment variable switch. I don't know Ruby but it's something like:

if ENV["UPDATE_MODE"] == "security"
    next unless checker.vulnerable?
else
    next if checker.up_to_date?
end

You can see the definition of vulnerable? method in dependabot-core.

The version you upgrade to appears to be determined by preferred_resolvable_version, which gives you the lowest_resolvable_security_fix_version if vulnerable? returns true, and the latest version otherwise.

The difficulty I've been having is that detecting the vulnerable version doesn't seem to work the same way as on Github. I'm working with the nuget provider so perhaps it's different for others but:

• checker.vulnerable? always returns false
• if there is a security advisory like this one for HtmlSanitizer then checker.lowest_resolvable_security_fix_version will return the version with the fix, suggesting it is successfully checking the Github Advisory Database
• if there is no advisory, or you already have the version in the advisory, then checker.lowest_resolvable_security_fix_version will just return the next version up from whatever you're using. If you try to use checker.lowest_resolvable_security_fix_version rather than checker.vulnerable? to test for whether to upgrade you still end up getting prompted to upgrade to the latest version, but one step at a time.

I haven't checked the npm/yarn provider as thoroughly but I think the problem might be similar. The one check I've run reported back:

lodash 4.17.0

• checker.up_to_date?: false
• checker.vulnerable?: false
• checker.latest_version: 4.17.21
• checker.lowest_security_fix_version: 4.17.1

But actually there is an high severity advisory that says you should update to 4.17.21, so lowest_security_fix_version is not recommending the right version and vulnerable? is incorrectly set to false.

These results are from 0.140.3 of the dependabot-core Docker image, which isn't the latest but it's not very old and the relevant bits of code appear not to have changed.

[NobodysNightmare]

As far as I can tell there is currently no place instantiating a SecurityAdvisory in dependabot-core, so I guess what's necessary is downloading a list in your own script and turning that into SecurityAdvisory instances for the rest to work properly.

Am I missing a helper doing something like that already or is this really something to be implemented by each individual?

[vip32]

As far as I can tell there is currently no place instantiating a SecurityAdvisory in dependabot-core, so I guess what's necessary is downloading a list in your own script and turning that into SecurityAdvisory instances for the rest to work properly.

Am I missing a helper doing something like that already or is this really something to be implemented by each individual?

checkout the tingle/dependabot-azure-devops:0.13 image: https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/script/README.md it can be setup to only create PRs for packages with vulnerabilities. You should use the following param:

• DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=0

(tested with image 0.13)