From fedc0d6182f049fe6232088c9701e140e3c290bd Mon Sep 17 00:00:00 2001 From: Siara <108543037+SiaraMist@users.noreply.github.com> Date: Thu, 24 Aug 2023 08:17:45 -0700 Subject: [PATCH] Dependabot Grouped Version Updates - [GA] (#41226) --- .../configuration-options-for-the-dependabot.yml-file.md | 4 ++-- .../customizing-dependency-updates.md | 2 -- .../managing-pull-requests-for-dependency-updates.md | 6 +++--- .../troubleshooting-dependabot-errors.md | 6 ------ .../getting-started/github-security-features.md | 4 ++-- .../getting-started/securing-your-repository.md | 2 +- .../dependabot-version-updates-groups-semver.md | 8 +++++++- 7 files changed, 15 insertions(+), 17 deletions(-) diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md index 03c69d1f1d..644a63ef4a 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md @@ -329,8 +329,6 @@ If you use the same configuration as in the example above, bumping the `requests {% ifversion dependabot-version-updates-groups %} ### `groups` -{% data reusables.dependabot.dependabot-version-updates-groups-beta %} - {% data reusables.dependabot.dependabot-version-updates-groups-supported %} {% data reusables.dependabot.dependabot-version-updates-groups-about %} @@ -341,6 +339,8 @@ If you use the same configuration as in the example above, bumping the `requests {% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} +{% data variables.product.prodname_dependabot %} creates groups in the order they appear in your `dependabot.yml` file. If a dependency update could belong to more than one group, it is only assigned to the first group it matches with. + If a dependency doesn't belong to any group, {% data variables.product.prodname_dependabot %} will continue to raise single pull requests to update the dependency to its latest version as normal. {% data variables.product.prodname_dotcom %} reports in the logs if a group is empty. For more information, see "[{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-fails-to-group-a-set-of-dependencies-into-a-single-pull-request)." When a scheduled update runs, {% data variables.product.prodname_dependabot %} will refresh pull requests for grouped updates using the following rules: diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md index 95bda11cc1..937ff08de6 100644 --- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md @@ -143,8 +143,6 @@ updates: {% ifversion dependabot-version-updates-groups %} ## Grouping {% data variables.product.prodname_dependabot_version_updates %} into one pull request -{% data reusables.dependabot.dependabot-version-updates-groups-beta %} - {% data reusables.dependabot.dependabot-version-updates-groups-about %} {% data reusables.dependabot.dependabot-version-updates-groups-semver %} diff --git a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md index b7222cd57f..fea581d92a 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md @@ -88,11 +88,11 @@ For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-vers In {% data variables.product.prodname_dependabot %} pull requests for grouped version updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped version updates. -- `@dependabot ignore DEPENDENCY_NAME dependency` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency. +- `@dependabot ignore DEPENDENCY_NAME` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency. - `@dependabot ignore DEPENDENCY_NAME major version` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's major version. - `@dependabot ignore DEPENDENCY_NAME minor version` closes the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's minor version. -- `@dependabot unignore * dependency` closes the current pull request, clears all `ignore` conditions stored for all dependencies in the group, then opens a new pull request. -- `@dependabot unignore DEPENDENCY_NAME dependency` closes the current pull request, clears all `ignore` conditions stored for the dependency, then opens a new pull request that includes available version updates for the specified dependency. For example, `@dependabot unignore lodash dependency` would open a new pull request that includes version updates for the Lodash dependency. +- `@dependabot unignore *` closes the current pull request, clears all `ignore` conditions stored for all dependencies in the group, then opens a new pull request. +- `@dependabot unignore DEPENDENCY_NAME` closes the current pull request, clears all `ignore` conditions stored for the dependency, then opens a new pull request that includes available version updates for the specified dependency. For example, `@dependabot unignore lodash` would open a new pull request that includes version updates for the Lodash dependency. - `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` closes the current pull request, clears the stored `ignore` condition, then opens a new pull request that includes available version updates for the specified ignore condition. For example, `@dependabot unignore express [< 1.9, > 1.8.0]` would open a new pull request that includes version updates for Express between versions 1.8.0 and 1.9.0. {% note %} diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md index ce0d64f345..aed06af557 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md @@ -149,8 +149,6 @@ To allow {% data variables.product.prodname_dependabot %} to update the dependen ### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request -{% data reusables.dependabot.dependabot-version-updates-groups-beta %} - {% data reusables.dependabot.dependabot-version-updates-groups-supported %} You must configure groups per package ecosystem. To debug the problem, we recommend you look at the logs. For information about accessing the logs for a manifest, see "[Investigating errors with {% data variables.product.prodname_dependabot_version_updates %}](#investigating-errors-with-dependabot-version-updates)" above. @@ -179,8 +177,6 @@ For more information on how to configure groups for {% data variables.product.pr ### {% data variables.product.prodname_dependabot %} fails to update one of the dependencies in a grouped pull request -{% data reusables.dependabot.dependabot-version-updates-groups-beta %} - **Version updates only.** {% data variables.product.prodname_dependabot %} will show the failed update in your logs, as well as in the job summary at the end of your logs. You should use the `@dependabot recreate` comment on the pull request to build the group again. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." If the dependency still fails to update, you should use the `exclude-patterns` configuration so that the dependency is excluded from the group. {% data variables.product.prodname_dependabot %} will then raise a separate pull request to update the dependency. @@ -191,8 +187,6 @@ If the dependency still fails to update, there may be a problem with the depende ### Continuous integration (CI) fails on my grouped pull request -{% data reusables.dependabot.dependabot-version-updates-groups-beta %} - **Version updates only.** If the failure is due to a single dependency, you should use the `exclude-patterns` configuration so that the dependency is excluded from the group. {% data variables.product.prodname_dependabot %} will then raise a separate pull request to update the dependency. {% data reusables.dependabot.dependabot-ignore-dependencies %} diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index e499b21b77..7846a627ba 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -54,9 +54,9 @@ View alerts about dependencies that are known to contain security vulnerabilitie {% ifversion fpt or ghec or ghes %} -### {% data variables.product.prodname_dependabot %} version updates +### {% data variables.product.prodname_dependabot_version_updates %} -Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." +Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. You can also customize {% data variables.product.prodname_dependabot_version_updates %} to streamline their integration into your repositories. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." {% endif %} ### Dependency graph diff --git a/content/code-security/getting-started/securing-your-repository.md b/content/code-security/getting-started/securing-your-repository.md index 45b1df2636..cb5244de76 100644 --- a/content/code-security/getting-started/securing-your-repository.md +++ b/content/code-security/getting-started/securing-your-repository.md @@ -104,7 +104,7 @@ You can enable {% data variables.product.prodname_dependabot %} to automatically 1. From the main page of your repository, click **{% octicon "gear" aria-label="The Settings gear" %} Settings**. 1. Click **Security & analysis**. 1. Next to {% data variables.product.prodname_dependabot_version_updates %}, click **Enable** to create a basic `dependabot.yml` configuration file. -1. Specify the dependencies to update and commit the file to the repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates)." +1. Specify the dependencies to update and any associated configuration options, then commit the file to the repository. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates)." {% else %} To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a `dependabot.yml` configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)." diff --git a/data/reusables/dependabot/dependabot-version-updates-groups-semver.md b/data/reusables/dependabot/dependabot-version-updates-groups-semver.md index 76ab0c8ab7..331e6a224c 100644 --- a/data/reusables/dependabot/dependabot-version-updates-groups-semver.md +++ b/data/reusables/dependabot/dependabot-version-updates-groups-semver.md @@ -1 +1,7 @@ -You can also specify grouping settings based on how updates affect a specific ecosystem and follow semantic versioning (SemVer). This means you can, for example, group all patch updates together. This approach helps {% data variables.product.prodname_dependabot %} create as few pull requests as possible, while also reducing the chances of accidentally accepting changes that could cause issues. If a package follows SemVer, there's a higher chance (but not a guarantee) that minor and patch updates will be backwards compatible. \ No newline at end of file +You can also specify grouping settings based on how updates affect a specific ecosystem and follow semantic versioning (SemVer). This means you can, for example, group all patch updates together. This approach helps {% data variables.product.prodname_dependabot %} create as few pull requests as possible, while also reducing the chances of accidentally accepting changes that could cause issues. If a package follows SemVer, there's a higher chance (but not a guarantee) that minor and patch updates will be backwards compatible. + +{% note %} + +**Note:** SemVer is an accepted standard for defining versions of software packages, in the form `x.y.z`. {% data variables.product.prodname_dependabot %} assumes that versions in this form are always `major.minor.patch`. + +{% endnote %} \ No newline at end of file