Only update minor and patch versions

[cmorinupgrade]

Context
I am running dependabot-script using the dependabot-core image in a Argo Workflow on AWS EKS.

Package managers I use

• npm_and_yarn
• maven
• go_modules
• pip

What I am trying to achieve
There is a requirement that is to only update minor and patch versions. I took a deep look at dependabot-core and dependabot-script codebases and haven't found anything related to the equivalent update-types in Dependabot SaaS offering. The only thing I have found is the IGNORE_CONDITIONS environment variable which seems to only be available for dependabot cli.

Anybody here was able to configure the UpdateChecker (or any other component along the process) so it only updates minor and patch versions? I work in a large company where bumping major versions is not always possible due to the potential regression and security considerations it may have.

Thank you

[manuelfernandezmlx]

I think you need to pass ignored_versions to the UpdateChecker. In my case, I wanted to avoid updating major and minor versions. I ended up doing something along these lines (only relevant lines are shown). Please, take into account that I had never touched a line of ruby before, and I have just started to look into dependabot script.

def ignored_versions_for(dep)
  ics = [Dependabot::Config::IgnoreCondition.new(
    dependency_name: '*',
    versions:[],
    update_types: ["version-update:semver-major", "version-update:semver-minor"]
    )]
  Dependabot::Config::UpdateConfig.new(ignore_conditions: ics)
                                    .ignored_versions_for(dep, security_updates_only: false)
end

checker = Dependabot::UpdateCheckers.for_package_manager(package_manager).new(
    dependency: dep,
    dependency_files: files,
    credentials: credentials,
    options: options,
    ignored_versions: ignored_versions_for(dep)
  )