You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Everything works well so far using the CLI, except for security-only updates.
I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in input.yaml, but you don't know what the dependencies are until you've already run a dependabot update first and parsed the dependency list from output.yaml.
For example:
job:
package-manager: npm_and_yarnsecurity-updates-only: truedependencies:
- express # how would I know this is a dependency before executing `dependabot update`?security-advisories:
- dependency-name: expressaffected-versions:
- <5.0.0patched-versions: []unaffected-versions: []
Do you have any advise on how I could solve this problem?
It would be ideal if there was a command like dependabot fetch --run-discovery, that was able return the "dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?
The only way I can currently work around this issue is to do two "updates"; First with security-updates-only: false so I can parse the discovered dependency list, then a 2nd update with security-updates-only: true and the dependencies list populated.
The text was updated successfully, but these errors were encountered:
It looks like @jakecoffman proposed something similar to what I'm looking for in #325.
Is there anything I could do to help with this? It sounds like a change might be needed to dependabot-core first which is maybe why this has stalled?
I'm trying to convert tinglesoftware/dependabot-azure-devops over to CLI, which currently uses the
dry-run.rb
andupdater
scripts to perform updates.Everything works well so far using the CLI, except for security-only updates.
I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in
input.yaml
, but you don't know what the dependencies are until you've already run adependabot update
first and parsed the dependency list fromoutput.yaml
.For example:
Do you have any advise on how I could solve this problem?
It would be ideal if there was a command like
dependabot fetch --run-discovery
, that was able return the "dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?The only way I can currently work around this issue is to do two "updates"; First with
security-updates-only: false
so I can parse the discovered dependency list, then a 2nd update withsecurity-updates-only: true
and thedependencies
list populated.The text was updated successfully, but these errors were encountered: