Only allow Dependabot to update the lockfile in src#299
Conversation
This should fix PRs like cisagov/code-gov-update#311, where previously Dependabot wanted to incorrectly force the new version as a constraint into the Pipfile.
|
I'm wondering if the versioning strategy |
AI summary:You would choose It makes sense to use Choose
Choose
Based on that, it does sound like |
This choice better fits our needs better. According to the AIs: You would choose increase-if-necessary over lockfile-only when you want Dependabot to automatically update your manifest file (e.g., package.json, Cargo.toml) whenever a new dependency version falls outside your currently defined semantic version (semver) range. It makes sense to use lockfile-only instead of increase-if-necessary when your primary goal is to minimize manifest churn and you prefer to handle major or breaking dependency upgrades manually. Choose lockfile-only if: - You only want automated PRs for security and bug fixes. - You want zero changes to your main manifest file from bots. - You prefer upgrading major tools (like upgrading from Webpack 4 to 5) manually. Choose increase-if-necessary if: - You want the bot to handle both security patches and major version upgrades automatically. Co-authored-by: dav3r <david.redmin@gwe.cisa.dhs.gov>
|
cisagov/skeleton-generic#279 made me realize that we perhaps want this versioning strategy globally; as a result I am leaning toward closing this PR in favor of cisagov/skeleton-generic#280. |
🗣 Description
This pull request sets the versioning strategy in the Dependabot configuration so that it is only allowed to update
Pipfile.lockinsrc;Pipfilewill not be altered.💭 Motivation and context
This should fix PRs like cisagov/code-gov-update#311, where previously Dependabot wanted to incorrectly force the new version as a constraint into the
Pipfile.🧪 Testing
All automated tests pass. The real test would be when Dependabot runs after this PR is merged.
✅ Pre-approval checklist