# Why doesn't Dependabot update package.json?

<figure><img src="https://1213438767-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4DXEoZIzUdpt18CW2qTD%2Fuploads%2FzXjtfpnPjXaN7gAZDm9L%2Fexilewatch.webp?alt=media&#x26;token=74fc8000-b114-47be-bc13-cda9b75cd22f" alt="" width="256"><figcaption><p>exile.watch logo</p></figcaption></figure>

If you're unfamiliar with Dependabot or want to learn more about it, head over to my [previous article](https://engineering.exile.watch/march-2024/the-savior-amidst-the-chaos-of-dependency-updates-dependabot).

## TL;DR

Add `versioning-strategy: increase` to the updates key

{% code title="dependabot.yml" %}

```diff
version: 2
registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}
updates:
  - package-ecosystem: "npm"
+   versioning-strategy: increase
    directory: "/"
    registries: [github]
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "05:00"
      timezone: "Europe/Warsaw"

```

{% endcode %}

## Dependabot versioning strategies

You can view all available and up-to-date versioning strategies on the official documentation in [this section](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy).

***

To save you a click, here is the gist of it as of April 2024:

<table><thead><tr><th width="264">Option</th><th>Action</th></tr></thead><tbody><tr><td><code>auto</code></td><td>Try to differentiate between apps and libraries. Use <code>increase</code> for apps and <code>widen</code> for libraries.</td></tr><tr><td><code>increase</code></td><td>Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound.</td></tr><tr><td><code>increase-if-necessary</code></td><td>Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.</td></tr><tr><td><code>lockfile-only</code></td><td>Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes.</td></tr><tr><td><code>widen</code></td><td>Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement.</td></tr><tr><td>N/A</td><td>Some package managers do not yet support configuring the <code>versioning-strategy</code> parameter.</td></tr></tbody></table>

## Dependabot's default versioning strategy in Lerna monorepos

By default, Dependabot's versioning strategy is set to `auto`.&#x20;

However in practice, in Lerna monorepos, it appears that Dependabot ends up with the `lockfile-only` option.

***

Author: [Sebastian Krzyżanowski](https://github.com/sbsrnt)\
About *exile.watch*: <https://docs.exile.watch/>\
Github: <https://github.com/exile-watch>\
\
Visit <https://exile.watch/> to experience it first hand