Why doesn't Dependabot update package.json?
1 min read
If you're unfamiliar with Dependabot or want to learn more about it, head over to my previous article.
TL;DR
Add versioning-strategy: increase to the updates key
version: 2
registries:
github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{ secrets.GH_TOKEN }}
updates:
- package-ecosystem: "npm"
+ versioning-strategy: increase
directory: "/"
registries: [github]
schedule:
interval: "weekly"
day: "saturday"
time: "05:00"
timezone: "Europe/Warsaw"
Dependabot versioning strategies
You can view all available and up-to-date versioning strategies on the official documentation in this section.
To save you a click, here is the gist of it as of April 2024:
auto
Try to differentiate between apps and libraries. Use increase for apps and widen for libraries.
increase
Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound.
increase-if-necessary
Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.
lockfile-only
Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes.
widen
Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement.
N/A
Some package managers do not yet support configuring the versioning-strategy parameter.
Dependabot's default versioning strategy in Lerna monorepos
By default, Dependabot's versioning strategy is set to auto.
However in practice, in Lerna monorepos, it appears that Dependabot ends up with the lockfile-only option.
Author: Sebastian Krzyżanowski About exile.watch: https://docs.exile.watch/ Github: https://github.com/exile-watch Visit https://exile.watch/ to experience it first hand
Last updated
Was this helpful?