tinglesoftware
Are security-only updates supported?
Hi,
We like to use this great extension for our security updates on Azure Devops Services. Is it possible to only create pull requests for security updates?
We tried with dependency-type":"security" - found on https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/src/script/update-script.rb#L173
But it gives always: not allowed, e.g:
Checking if gulp-scss-lint needs updating
Requirements to unlock own
Updating gulp-scss-lint is not allowed
Tested with gulp-scss-lint 0.7.2 (link to GitHub security database) and log4net 2.0.9 (link to GitHub security database)
full yaml:
trigger: none # Disable CI trigger
schedules:
- cron: '0 2 * * *' # daily at 2am UTC
always: true # run even when there are no code changes
branches:
include:
- master
- main
batch: true
displayName: Daily
# variables declared below can be put in one or more Variable Groups for sharing across pipelines
variables:
DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":".*","dependency-type":"security"}]' # packages allowed to be updated
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
steps:
- task: dependabot@1
inputs:
useConfigFile: true
full package.json:
{
"name": "Sample frontend",
"version": "0.1.0",
"private": true,
"scripts": {},
"dependencies": {
"axios": "^0.21.0",
"core-js": "^3.6.5",
"guid-typescript": "^1.0.9",
"vee-validate": "^3.4.5",
"vue": "^2.6.11",
"vue-cleave-component": "^2.1.3",
"vuex": "^3.6.2",
"gulp-scss-lint": "0.7.2"
},
"devDependencies": {
"@types/jest": "^24.0.19",
"@typescript-eslint/eslint-plugin": "^2.33.0",
"@typescript-eslint/parser": "^2.33.0",
"@vue/cli-plugin-babel": "~4.5.0",
"@vue/cli-plugin-eslint": "~4.5.0",
"@vue/cli-plugin-typescript": "~4.5.0",
"@vue/cli-plugin-unit-jest": "~4.5.0",
"@vue/cli-service": "~4.5.0",
"@vue/eslint-config-prettier": "^6.0.0",
"@vue/eslint-config-typescript": "^5.0.2",
"@vue/test-utils": "^1.0.3",
"copy-modules-webpack-plugin": "^2.1.1",
"eslint": "^6.7.2",
"eslint-plugin-prettier": "^3.1.3",
"eslint-plugin-vue": "^6.2.2",
"flush-promises": "^1.0.2",
"jest-junit": "^12.0.0",
"lint-staged": "^9.5.0",
"prettier": "^1.19.1",
"sass": "^1.26.5",
"sass-loader": "^8.0.2",
"typescript": "~3.9.3",
"vue-svg-loader": "^0.16.0",
"vue-template-compiler": "^2.6.11"
}
}
@304NotModified
We have not added full support for security updates only but PRs are always welcome. 🙂
However, changing the lines you referenced may not produce the results you desire. I suggest looking at the following:
- https://github.com/dependabot/dependabot-core/blob/7f03508df305a9fb44b188ead5cb4fb360471ab8/bin/dry-run.rb#L533-L534
- https://github.com/dependabot/dependabot-core/blob/7f03508df305a9fb44b188ead5cb4fb360471ab8/bin/dry-run.rb#L613
Do you mean we have to port these lines or use that script instead of this plugin?
Porting the lines and any other related ones should do because our script borrows heavily from the test one in the parent repository.
According to update-script.rb#L314 it allows security updates even if dependency is outside of allow list, so you can do a bit of hack with:
DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":"a1","dependency-type":"all"}]' # specify any non-existing package name, so it will ignore everything but still allow security updates
Hello @mburumaxwell, why did you close it as 'not planned'? I think that this enhancement would be very useful. Even if you don't have time, maybe there will be someone brave enough to try to submit PR ;)
I think this feature is a must have.
We tried changing the ruby script in the past, but unfortunately you really need some Ruby skills.