# Why doesn't Dependabot update package.json?

<figure><img src="/files/6T3mkUF582HmwgPcv48x" alt="" width="256"><figcaption><p>exile.watch logo</p></figcaption></figure>

If you're unfamiliar with Dependabot or want to learn more about it, head over to my [previous article](/march-2024/the-savior-amidst-the-chaos-of-dependency-updates-dependabot.md).

## TL;DR

Add `versioning-strategy: increase` to the updates key

{% code title="dependabot.yml" %}

```diff
version: 2
registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}
updates:
  - package-ecosystem: "npm"
+   versioning-strategy: increase
    directory: "/"
    registries: [github]
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "05:00"
      timezone: "Europe/Warsaw"

```

{% endcode %}

## Dependabot versioning strategies

You can view all available and up-to-date versioning strategies on the official documentation in [this section](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy).

***

To save you a click, here is the gist of it as of April 2024:

<table><thead><tr><th width="264">Option</th><th>Action</th></tr></thead><tbody><tr><td><code>auto</code></td><td>Try to differentiate between apps and libraries. Use <code>increase</code> for apps and <code>widen</code> for libraries.</td></tr><tr><td><code>increase</code></td><td>Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound.</td></tr><tr><td><code>increase-if-necessary</code></td><td>Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.</td></tr><tr><td><code>lockfile-only</code></td><td>Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes.</td></tr><tr><td><code>widen</code></td><td>Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement.</td></tr><tr><td>N/A</td><td>Some package managers do not yet support configuring the <code>versioning-strategy</code> parameter.</td></tr></tbody></table>

## Dependabot's default versioning strategy in Lerna monorepos

By default, Dependabot's versioning strategy is set to `auto`.&#x20;

However in practice, in Lerna monorepos, it appears that Dependabot ends up with the `lockfile-only` option.

***

Author: [Sebastian Krzyżanowski](https://github.com/sbsrnt)\
About *exile.watch*: <https://docs.exile.watch/>\
Github: <https://github.com/exile-watch>\
\
Visit <https://exile.watch/> to experience it first hand


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://engineering.exile.watch/april-2024/why-doesnt-dependabot-update-package-json.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.