search

Why doesn't Dependabot update package.json?

1 min read

exile.watch logo

If you're unfamiliar with Dependabot or want to learn more about it, head over to my previous article.

hashtag
TL;DR

Add versioning-strategy: increase to the updates key

hashtag
Dependabot versioning strategies

You can view all available and up-to-date versioning strategies on the official documentation in this sectionarrow-up-right.

To save you a click, here is the gist of it as of April 2024:

Option
Action

auto

Try to differentiate between apps and libraries. Use increase for apps and widen for libraries.

increase

Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound.

increase-if-necessary

Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.

lockfile-only

Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes.

widen

Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement.

N/A

Some package managers do not yet support configuring the versioning-strategy parameter.

hashtag
Dependabot's default versioning strategy in Lerna monorepos

By default, Dependabot's versioning strategy is set to auto.

However in practice, in Lerna monorepos, it appears that Dependabot ends up with the lockfile-only option.

Author: Sebastian Krzyżanowskiarrow-up-right About exile.watch: https://docs.exile.watch/arrow-up-right Github: https://github.com/exile-watcharrow-up-right Visit https://exile.watch/arrow-up-right to experience it first hand

Previousexile.watch engineering blogNextThe savior amidst the chaos of dependency updates - Dependabot

Last updated