Why doesn't Dependabot update package.json?

1 min read

exile.watch logo

If you're unfamiliar with Dependabot or want to learn more about it, head over to my previous article.

TL;DR

Add versioning-strategy: increase to the updates key

dependabot.yml
version: 2
registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}
updates:
  - package-ecosystem: "npm"
+   versioning-strategy: increase
    directory: "/"
    registries: [github]
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "05:00"
      timezone: "Europe/Warsaw"

Dependabot versioning strategies

You can view all available and up-to-date versioning strategies on the official documentation in this section.


To save you a click, here is the gist of it as of April 2024:

Option
Action

auto

Try to differentiate between apps and libraries. Use increase for apps and widen for libraries.

increase

Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound.

increase-if-necessary

Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.

lockfile-only

Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes.

widen

Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement.

N/A

Some package managers do not yet support configuring the versioning-strategy parameter.

Dependabot's default versioning strategy in Lerna monorepos

By default, Dependabot's versioning strategy is set to auto.

However in practice, in Lerna monorepos, it appears that Dependabot ends up with the lockfile-only option.


Author: Sebastian Krzyżanowski About exile.watch: https://docs.exile.watch/ Github: https://github.com/exile-watch Visit https://exile.watch/ to experience it first hand

Last updated

Was this helpful?