Skip to content

Only allow Dependabot to update the lockfile in src#299

Open
jsf9k wants to merge 2 commits into
developfrom
improvement/only-update-lockfile-in-src
Open

Only allow Dependabot to update the lockfile in src#299
jsf9k wants to merge 2 commits into
developfrom
improvement/only-update-lockfile-in-src

Conversation

@jsf9k

@jsf9k jsf9k commented Jul 6, 2026

Copy link
Copy Markdown
Member

🗣 Description

This pull request sets the versioning strategy in the Dependabot configuration so that it is only allowed to update Pipfile.lock in src; Pipfile will not be altered.

💭 Motivation and context

This should fix PRs like cisagov/code-gov-update#311, where previously Dependabot wanted to incorrectly force the new version as a constraint into the Pipfile.

🧪 Testing

All automated tests pass. The real test would be when Dependabot runs after this PR is merged.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

This should fix PRs like cisagov/code-gov-update#311, where previously
Dependabot wanted to incorrectly force the new version as a constraint
into the Pipfile.
@jsf9k jsf9k self-assigned this Jul 6, 2026
@jsf9k jsf9k added the improvement This issue or pull request will add or improve functionality, maintainability, or ease of use label Jul 6, 2026
@jsf9k jsf9k moved this to In Progress in Next Kraken Jul 6, 2026
@jsf9k

jsf9k commented Jul 6, 2026

Copy link
Copy Markdown
Member Author

I'm wondering if the versioning strategy increase-if-necessary might be a better fit for what we want to accomplish with this change. Thoughts, @cisagov/vm-dev?

@jsf9k jsf9k moved this from In progress to Review in progress in Skeleton Maintenance Jul 6, 2026
@jsf9k jsf9k marked this pull request as ready for review July 6, 2026 15:46
@jsf9k jsf9k requested review from dav3r, felddy and mcdonnnj as code owners July 6, 2026 15:46
@dav3r

dav3r commented Jul 6, 2026

Copy link
Copy Markdown
Member

I'm wondering if the versioning strategy increase-if-necessary might be a better fit for what we want to accomplish with this change. Thoughts, @cisagov/vm-dev?

AI summary:

You would choose increase-if-necessary over lockfile-only when you want Dependabot to automatically update your manifest file (e.g., package.json, Cargo.toml) whenever a new dependency version falls outside your currently defined semantic version (semver) range.

It makes sense to use lockfile-only instead of increase-if-necessary when your primary goal is to minimize manifest churn and you prefer to handle major or breaking dependency upgrades manually.

Choose lockfile-only if:

  • You only want automated PRs for security and bug fixes.
  • You want zero changes to your main manifest file from bots.
  • You prefer upgrading major tools (like upgrading from Webpack 4 to 5) manually.

Choose increase-if-necessary if:

  • You want the bot to handle both security patches and major version upgrades automatically.

Based on that, it does sound like increase-if-necessary would be a good fit for us. Can anyone think of any cases where it might backfire on us?

This choice better fits our needs better.  According to the AIs:

You would choose increase-if-necessary over lockfile-only when you
want Dependabot to automatically update your manifest file (e.g.,
package.json, Cargo.toml) whenever a new dependency version falls
outside your currently defined semantic version (semver) range.

It makes sense to use lockfile-only instead of increase-if-necessary
when your primary goal is to minimize manifest churn and you prefer to
handle major or breaking dependency upgrades manually.

Choose lockfile-only if:
- You only want automated PRs for security and bug fixes.
- You want zero changes to your main manifest file from bots.
- You prefer upgrading major tools (like upgrading from Webpack 4 to
5) manually.

Choose increase-if-necessary if:
- You want the bot to handle both security patches and major version
upgrades automatically.

Co-authored-by: dav3r <david.redmin@gwe.cisa.dhs.gov>
@jsf9k

jsf9k commented Jul 6, 2026

Copy link
Copy Markdown
Member Author

cisagov/skeleton-generic#279 made me realize that we perhaps want this versioning strategy globally; as a result I am leaning toward closing this PR in favor of cisagov/skeleton-generic#280.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

improvement This issue or pull request will add or improve functionality, maintainability, or ease of use

Projects

Status: In Progress
Status: Review in progress

Development

Successfully merging this pull request may close these issues.

2 participants