Comments (7)
Hey @OskarStark,
Thanks for reporting this - I totally rely on feedback like this to keep making Dependabot better.
I've just pushed this change that partly addresses the above - Dependabot will now keep the same digit length. In the case listed above, that would mean Dependabot wouldn't have updated your composer.json
, just your composer.lock
.
The change I've made doesn't stop Dependabot from updating your composer.json
from ^2.5
to ^2.6
, which I think is probably the behaviour you'd want anyway, except for if your repo is a library (in which case specifying it as such in the composer.json
, or not committing the composer.lock
, would trigger Dependabot's library behaviour and only update your composer.json
if the new version was outside of your currently accepted range).
Make sense?
from dependabot-core.
Hey @greysteil glad to hear that feedback from you 👍
ofc I will test it as soon as I can. And yes I want to upgrade from to 2.6 and 2.7 if ^2.5
is specified.
But I don't want to go to up to 3.x in this case ;-)
I will provide feedback here!
from dependabot-core.
Awesome. If you haven't merged the duff PR, and have made any changes to its target branch (normally master) since it was created, then commenting @dependabot rebase?
on it should update the composer.json
changes.
from dependabot-core.
Hey @greysteil I closed the branches and me and/or dependabot closed some of these branches, so I could not reopen anymore :(
from dependabot-core.
Ah, OK. I've regenerated a few of those PRs for you with the new setup - let me know if that's any better!
from dependabot-core.
I received a PR, but with the old (wrong) logic I guess:
from dependabot-core.
OK, I've updated our logic to not update the composer.json
for PHP if the range is allowable, and will keep it that way unless I start hearing users asking for updates that look like the ones above. I've also kicked off another set of updates for the bad PRs on your repos - if you have any bad PRs that are open there just close them and Dependabot will re-generate them using the new logic the following morning.
Thanks for the feedback on this!
from dependabot-core.
Related Issues (20)
- Github Graphql returns none for author if dependabot PR
- NuGet version update with version number having 4 segments fail
- Updating Terrafrom version for tfenv
- Dependabot tries to update more dependencies than declared
- @dependabot ignore X patch version only works in group PR
- Multi-directory support bug with go, terraform, docker HOT 4
- Multi-directory PR creation with Terraform HOT 1
- Ant/Ivy Support
- Unable to rebase with dependency "next"
- Dependabot keeps sending in separate PR's instead of grouping them
- NuGet update with packages.config doesn't consider targets files
- Add update types for Cargo-style (in)compatible version upgrades
- pnpm9: version is incompatible with "/home/dependabot/dependabot-updater/repo". HOT 2
- Dependabot gets confused over a directory name HOT 1
- PNPM lockfileVersion reverted back from 9.0 to 6.0 HOT 11
- semver based ignoring / grouping doesn't work without package-lock.json HOT 2
- GitHub Actions update with PR closed by dependabot for different version update ignored due to "Pull request already exists for actions/setup-node with latest version 4"
- Duplicate PR for update in subdirectory
- NuGet updater should try to fix `NU1605` package downgrade errors
- Respect MSBuild property DirectoryPackagesPropsPath that overrides directory.packages.props name and location
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.