jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-09 06:03:09 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6544 from github/repo-sync

Browse Source 
repo sync
This commit is contained in:
Octomerger Bot
2021-05-18 22:28:10 +10:00
committed by GitHub
parent 6e32b902d9 49c4364cbc
commit a5fb3d0dae
3 changed files with 18 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
content/code-security/supply-chain-security/configuration-options-for-dependency-updates.md
View File

@@ -283,22 +283,27 @@ updates:
#### `ignore`
{% data reusables.dependabot.warning-ignore-option %}
{% data reusables.dependabot.default-dependencies-allow-ignore %}
##### Checking for existing ignore preferences
Dependencies can be ignored either by adding them to `ignore` or by using the `@dependabot ignore` command on a pull request opened by {% data variables.product.prodname_dependabot %}.
Before you add an `ignore` option to the configuration file, check whether you've previously used any of the `@dependabot ignore` commands on a security update or version update pull request. {% data variables.product.prodname_dependabot %} stores these preferences for each package manager centrally and this information is overwritten by the `ignore` option. For more information about the `@dependabot ignore` commands, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)."
##### Creating `ignore` conditions from `@dependabot ignore`
You can check whether a repository has stored preferences by searching the repository for `"@dependabot ignore" in:comments`. If you review any pull requests in the results, you can decide whether or not to specify those ignored dependencies or versions in the configuration file.
Dependencies ignored by using the `@dependabot ignore` command are stored centrally for each package manager. If you start ignoring dependencies in the `dependabot.yml` file, these existing preferences are considered alongside the `ignore` dependencies in the configuration. You won't be able to use the `@dependabot ignore` command to add any further dependencies, instead you will need add them to the `dependabot.yml` file.
You can check whether a repository has stored `ignore` preferences by searching the repository for `"@dependabot ignore" in:comments`. If you wish to un-ignore a dependency ignored this way, re-open the pull request.
For more information about the `@dependabot ignore` commands, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)."
##### Specifying dependencies and versions to ignore
{% data reusables.dependabot.default-dependencies-allow-ignore %}
You can use the `ignore` option to customize which dependencies are updated. The `ignore` option supports the following options.
- `dependency-name`—use to ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters. For Java dependencies, the format of the `dependency-name` attribute is: `groupId:artifactId`, for example: `org.kohsuke:github-api`.
- `dependency-name`—use to ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters. For Java dependencies, the format of the `dependency-name` attribute is: `groupId:artifactId` (for example: `org.kohsuke:github-api`).
- `versions`—use to ignore specific versions or ranges of versions. If you want to define a range, use the standard pattern for the package manager (for example: `^1.0.0` for npm, or `~> 2.0` for Bundler).
- `update-types`—use to ignore types of updates, such as semver `major`, `minor`, or `patch` updates on version updates (for example: `version-update:semver-patch` will ignore patch updates). You can combine this with `dependency-name: *` to ignore particular `update-types` for all dependencies. Currently, `version-update:semver-major`, `version-update:semver-minor`, and `version-update:semver-patch` are the only supported options. Security updates are unaffected by this setting.
If `versions` and `update-types` are used together, {% data variables.product.prodname_dependabot %} will ignore any update in either set.
{% data reusables.dependabot.option-affects-security-updates %}
@@ -317,6 +322,9 @@ updates:
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
# For AWS SDK, ignore all patch updates
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-patch"]
```
{% note %}

6
content/code-security/supply-chain-security/enabling-and-disabling-version-updates.md
View File

@@ -112,7 +112,6 @@ updates:
directory: "/"
schedule:
interval: "daily"
# Overwrite any ignores created using `@dependabot ignore` commands
ignore:
# Ignore updates to packages that start with 'aws'
# Wildcards match zero or more arbitrary characters
@@ -121,8 +120,9 @@ updates:
- dependency-name: "express"
# Ignore only new versions for 4.x and 5.x
versions: ["4.x", "5.x"]
# For all packages, ignore all patch updates
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
```
{% data reusables.dependabot.warning-ignore-option %}
For more information about checking for existing ignore preferences, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#ignore)."

7
data/reusables/dependabot/warning-ignore-option.md
View File

@@ -1,7 +0,0 @@
{% warning %}
**Warning**: Before you add an `ignore` option to the *dependabot.yml* configuration file, check whether the repository already has any ignore preferences (created using the `@dependabot ignore` commands). When you add an `ignore` option to the *dependabot.yml* configuration file, this overwrites any ignore preferences stored centrally for that package manager, branch, and directory.
This affects both security and version updates.
{% endwarning %}