Skip to main content
23 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
0 votes
0 answers
84 views

We have multiple .NET repos. I have set up dependabot in one of my repos, it works as expected. But I'm facing a problem with another repo. This repo has multiple solution files and different folder ...
Vivek Nuna's user avatar
  • 30.9k
4 votes
0 answers
41 views

I’m trying to use GitHub Dependabot with a private PyPI feed hosted in Azure Artifacts and am running into a download failure. Dependabot successfully authenticates to the Azure Artifacts PyPI feed. ...
cctan777's user avatar
  • 41
0 votes
1 answer
552 views

I'm trying to get Dependabot to give me different PRs for major versions and minor/patch versions. Here's the config I tried: version: 2 updates: # GH Actions - package-ecosystem: "github-...
Roboroads's user avatar
  • 1,757
0 votes
1 answer
442 views

I am trying -- and failing -- to get Dependabot Versions to scan a Java repository for stale Maven dependencies, where those dependencies are private packages hosted in GitHub Packages in the same ...
Ben Fowler's user avatar
  • 401
0 votes
1 answer
509 views

In my scenario dependabot creates a PR in GitHub repo, then I approve the PR and merge (with rebase) it. In my GitHub action (running on push) if I check github.actor on this merge - it will be my ...
Comfortably Numb's user avatar
  • 40k
1 vote
0 answers
343 views

I have a GitHub monorepo that contains a NestJS server app and several Angular applications. I use GitHub and Dependabot, but I do not want it alerting me about major package updates to Angular or ...
Chris Barr's user avatar
  • 34.7k
0 votes
0 answers
87 views

I get the following error when dependabot tries to restore nugets for a dotnet8/ios17 MAUI project: updater | 2025/03/11 16:30:47 INFO <job_978645085> Discovery JSON path for workspace path [/...
XDS's user avatar
  • 4,344
3 votes
1 answer
350 views

I am referring the optional references that I can specify in my dependabot.yaml file from Optional reference for dependabot As per the documentation, it is said that I can enable vendor for package-...
C.k.'s user avatar
  • 125
1 vote
0 answers
124 views

I have a Node.js application deployed as Docker container. When it comes to checking for known vulnerabilities, that happens at three places: In a pre-merge check via a wrapper around npm audit ...
cis's user avatar
  • 1,403
2 votes
0 answers
135 views

How do you proceed if the Dependabot is not able to create a PR for an alert but just outlines a "Workaround". I did what the workaround suggested, merged my changes and was expecting the ...
flexx's user avatar
  • 31
0 votes
1 answer
892 views

I am trying to implement dependabot on my Organization AZureDevOps Pipeline. We have multi repos. I am Using a script ps1 to distribute for all the repos the Github/dependabot.yaml file and the ...
Malasartes's user avatar
  • 1
2 votes
0 answers
1k views

I'm trying to set up Dependabot to keep our project Golang version up to date, but recently we received a PR from it to update our Golang version to a release candidate version (which is unwanted). ...
Eleandro Duzentos's user avatar
  • 1,598
4 votes
0 answers
2k views

I have the following Dependabot alert Title: ws affected by a DoS when handling a request with many HTTP headers Desciption: Dependabot cannot update ws to a non-vulnerable version The latest possible ...
Europa's user avatar
  • 1,452
0 votes
1 answer
525 views

I've made a pretty basic workflow that is supposed to post a message with a link to the PR whenever Dependabot creates a new vulnerability/dependency update PR (and then update the original message ...
Ashton Becher's user avatar
  • 11
2 votes
0 answers
235 views

Dependabot will not detect all instances of a package reference upgrade in my project structure. My 4 Test projects in the structure below all use XUnit. Dependabot has detected a package upgrade from ...
Matt's user avatar
  • 429
1 vote
0 answers
398 views

I configured Dependabot on my Github repository but it can't authenticate on repo.magento.com. I've configured the .github/dependabot.yml file like this: version: 2 registries: adobe: type: ...
Florian Lemaitre's user avatar
  • 5,758
0 votes
1 answer
329 views

Is there any way of providing dependabot with a list of dependencies to check? Either by injecting the list or providing a custom package manager for it to use?
parsley72's user avatar
  • 9,337
0 votes
1 answer
1k views

In my project I used Dependabot to scan our packages, I configured dependabot.yml file to scan on a schedule like this: version: 2 updates: # Enable version updates for npm - package-ecosystem: &...
Almog Sofer's user avatar
  • 1
1 vote
1 answer
330 views

we have a public gradle plugin, which we release new versions, eg: https://github.com/europace/docker-publish-gradle-plugin/releases/tag/v2.0.4 https://plugins.gradle.org/plugin/de.europace.docker-...
Ruth's user avatar
  • 1,178
1 vote
1 answer
165 views

ngingx has a weird versioning schema: mainline: Mainline is the active development branch where the latest features and bug fixes get added. It is denoted by an odd number in the second part of the ...
rugk's user avatar
  • 5,795
1 vote
1 answer
1k views

I have a monorepo which I manage with turborepo. I use Dependabot on GitHub to manage dependencies. As far as I can tell, the Dependabot pull requests always have merge conflicts for the lock file (in ...
Magnus's user avatar
  • 7,971
1 vote
1 answer
956 views

When configuring Dependabot to use pnpm as package ecosystem, the documentation states that it is currently supported. Though, I get an error in my editor because it does not exist in the schema. What ...
Benjamin's user avatar
  • 23
0 votes
1 answer
2k views

Most packages follow semantic versioning to define major.minor.patch versions. I would like to configure Dependabot to exclude all patch versions and not create PRs. From the docs it's not completely ...
udo's user avatar
  • 5,252