可以通过向你的 dependabot.yml 文件添加选项来自定义你的 Dependabot 配置以满足你的需求。 例如,可以确保 Dependabot 使用正确的包清单文件,并仅更新要维护的依赖项。
本文整理了可能有用的自定义选项。
针对清单文件定义多个位置
如果要为存储在多个位置的清单文件启用 Dependabot version updates,可以使用 directories 来代替 directory。 例如,此配置为存储在不同目录中的清单文件设置两个不同的更新计划。
# Specify the locations of the manifest files to update for each package manager
# using both `directories` and `directory`
version: 2
updates:
- package-ecosystem: "bundler"
# Update manifest files stored in these directories weekly
directories:
- "/frontend"
- "/backend"
- "/admin"
schedule:
interval: "weekly"
- package-ecosystem: "bundler"
# Update manifest files stored in the root directory daily
directory: "/"
schedule:
interval: "daily"
# Specify the locations of the manifest files to update for each package manager
# using both `directories` and `directory`
version: 2
updates:
- package-ecosystem: "bundler"
# Update manifest files stored in these directories weekly
directories:
- "/frontend"
- "/backend"
- "/admin"
schedule:
interval: "weekly"
- package-ecosystem: "bundler"
# Update manifest files stored in the root directory daily
directory: "/"
schedule:
interval: "daily"
-
使用模式指定一系列目录
YAML # Specify the root directory and directories that start with "lib-", # using globbing, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "/" - "/lib-*" schedule: interval: "weekly"# Specify the root directory and directories that start with "lib-", # using globbing, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "/" - "/lib-*" schedule: interval: "weekly" -
在当前目录和递归子目录中指定清单
YAML # Specify all directories from the current layer and below recursively, # using globstar, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "**/*" schedule: interval: "weekly"# Specify all directories from the current layer and below recursively, # using globstar, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "**/*" schedule: interval: "weekly"
忽略特定依赖项
如果尚未准备好采用项目中的某些依赖项更改,可以将 Dependabot 配置为在打开版本更新和安全更新的拉取请求时忽略这些依赖项。 可使用以下方法之一来执行此操作。
- 为
dependabot.yml文件中的依赖项配置ignore选项。- 可以使用此选项来忽略特定依赖项、版本和更新类型的更新。
- 有关详细信息,请参阅“Dependabot 选项参考”中的
ignore。
- 使用
@dependabot ignore注释命令对 Dependabot 拉取请求进行版本更新和安全更新。- 可以使用注释命令来忽略特定依赖项和版本的更新。
- 有关详细信息,请参阅“管理依赖项更新的所有拉取请求”。
以下一些示例展示了可以如何使用 ignore 来自定义更新的依赖项。
-
忽略特定版本之外的更新
YAML ignore: - dependency-name: "lodash:*" # Ignore versions of Lodash that are equal to or greater than 1.0.0 versions: [ ">=1.0.0" ]ignore: - dependency-name: "lodash:*" # Ignore versions of Lodash that are equal to or greater than 1.0.0 versions: [ ">=1.0.0" ]YAML ignore: - dependency-name: "sphinx" versions: [ "[1.1,)" ]ignore: - dependency-name: "sphinx" versions: [ "[1.1,)" ] -
忽略补丁更新
YAML ignore: - dependency-name: "@types/node" # Ignore patch updates for Node update-types: ["version-update:semver-patch"]ignore: - dependency-name: "@types/node" # Ignore patch updates for Node update-types: ["version-update:semver-patch"] -
若要忽略特定版本或一系列版本,请参阅“忽略特定版本或一系列版本”。
如果要取消忽略依赖项或忽略条件,可以从 dependabot.yml 文件中删除忽略条件或重新打开拉取请求。
对于分组更新拉取请求,还可以使用 @dependabot unignore 注释命令。 @dependabot unignore 注释命令可通过注释 Dependabot 拉取请求来执行以下操作:
- 取消忽略特定忽略条件
- 取消忽略特定依赖项
- 取消忽略 Dependabot 拉取请求中所有依赖项的所有忽略条件
有关详细信息,请参阅“管理依赖项更新的所有拉取请求”。
允许更新特定依赖项
可以使用 allow 告知 Dependabot 你想要维护的依赖项。 allow 通常与 ignore 结合使用。
有关详细信息,请参阅“Dependabot 选项参考”中的 allow。
默认情况下,Dependabot 仅为清单中显式定义的依赖项(direct 依赖项)创建版本更新拉取请求。 此配置使用 allow 来告知 Dependabot 我们希望它维护 all 类型的依赖项。 也就是说,同时包括 direct 依赖项及其依赖项(也称为间接依赖项、子依赖项或暂时性依赖项)。 此外,配置会告知 Dependabot 忽略名称与模式 org.xwiki.* 匹配的所有依赖项,因为我们有一个不同的过程来维护它们。
提示
Dependabot 可检查所有被允许的依赖项,然后筛选掉任何被忽略的依赖项。******** 如果依赖项与 allow 和 ignore 语句匹配,则会被忽略。********
version: 2
registries:
# Helps find updates for non Maven Central dependencies
maven-xwiki-public:
type: maven-repository
url: http://nexus.xwiki.org/nexus/content/groups/public/
username: ""
password: ""
# Required to resolve xwiki-common SNAPSHOT parent pom
maven-xwiki-snapshots:
type: maven-repository
url: http://maven.xwiki.org/snapshots
username: ""
password: ""
updates:
- package-ecosystem: "maven"
directory: "/"
registries:
- maven-xwiki-public
- maven-xwiki-snapshots
schedule:
interval: "weekly"
allow:
# Allow both direct and indirect updates for all packages.
- dependency-type: "all"
ignore:
# Ignore XWiki dependencies. We have a separate process for updating them
- dependency-name: "org.xwiki.*"
open-pull-requests-limit: 15
version: 2
registries:
# Helps find updates for non Maven Central dependencies
maven-xwiki-public:
type: maven-repository
url: http://nexus.xwiki.org/nexus/content/groups/public/
username: ""
password: ""
# Required to resolve xwiki-common SNAPSHOT parent pom
maven-xwiki-snapshots:
type: maven-repository
url: http://maven.xwiki.org/snapshots
username: ""
password: ""
updates:
- package-ecosystem: "maven"
directory: "/"
registries:
- maven-xwiki-public
- maven-xwiki-snapshots
schedule:
interval: "weekly"
allow:
# Allow both direct and indirect updates for all packages.
- dependency-type: "all"
ignore:
# Ignore XWiki dependencies. We have a separate process for updating them
- dependency-name: "org.xwiki.*"
open-pull-requests-limit: 15
忽略特定版本或一系列版本
可以将 versions 与 ignore 结合使用来忽略特定版本或一系列版本。
有关详细信息,请参阅“Dependabot 选项参考”中的 versions。
-
忽略特定版本
YAML ignore: - dependency-name: "django*" # Ignore version 11 versions: [ "11" ]ignore: - dependency-name: "django*" # Ignore version 11 versions: [ "11" ] -
忽略一系列版本
YAML ignore: - dependency-name: "@types/node" versions: ["15.x", "14.x", "13.x"] - dependency-name: "xdg-basedir" # 5.0.0 has breaking changes as they switch to named exports # and convert the module to ESM # We can't use it until we switch to ESM across the project versions: ["5.x"] - dependency-name: "limiter" # 2.0.0 has breaking changes # so we want to delay updating. versions: ["2.x"]ignore: - dependency-name: "@types/node" versions: ["15.x", "14.x", "13.x"] - dependency-name: "xdg-basedir" # 5.0.0 has breaking changes as they switch to named exports # and convert the module to ESM # We can't use it until we switch to ESM across the project versions: ["5.x"] - dependency-name: "limiter" # 2.0.0 has breaking changes # so we want to delay updating. versions: ["2.x"]
指定要忽略的语义化版本控制级别
可以使用 update-types 指定要忽略的一个或多个语义化版本控制 (SemVer) 级别。
有关详细信息,请参阅“Dependabot 选项参考”中的 update-types。
在此示例中,Dependabot 将忽略 Node 的补丁更新。
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
ignore:
- dependency-name: "express"
# For Express, ignore all updates for version 4 and 5
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
- dependency-name: "@types/node"
# For Node types, ignore any patch versions
update-types: ["version-update:semver-patch"]
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
ignore:
- dependency-name: "express"
# For Express, ignore all updates for version 4 and 5
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
- dependency-name: "@types/node"
# For Node types, ignore any patch versions
update-types: ["version-update:semver-patch"]
定义版本控制策略
默认情况下,Dependabot 会尝试提高它识别为应用的依赖项的最低版本要求,并放宽允许的版本要求以包括它识别为库的依赖项的新旧版本。
可以更改此默认策略。 有关详细信息,请参阅“Dependabot 选项参考”中的 versioning-strategy。
在此示例中,Dependabot 将提高最低版本要求以匹配应用和库的新版本。
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
# Increase the minimum version for all npm dependencies
versioning-strategy: increase
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
# Increase the minimum version for all npm dependencies
versioning-strategy: increase
在此示例中,如果原始约束不允许新版本,Dependabot 才将提高最低版本要求。****
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 20
rebase-strategy: "disabled"
# Increase the version requirements for pip
# only when required
versioning-strategy: increase-if-necessary
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 20
rebase-strategy: "disabled"
# Increase the version requirements for pip
# only when required
versioning-strategy: increase-if-necessary
更新供应的依赖项
可以指示 Dependabot 在更新特定依赖项时供应它们。
Dependabot 自动为 Go 模块维护供应的依赖项,并且你可以配置 Bundler 来更新供应的依赖项。
有关详细信息,请参阅“Dependabot 选项参考”中的 vendor。
在此示例中,对于 Bundler,vendor 设置为 true,这意味着 Dependabot 还将为 Bundler 维护存储在仓库中的 vendor/cache 目录中的依赖项。__
version: 2
updates:
- package-ecosystem: bundler
directory: "/"
# Vendoring Bundler
vendor: true
schedule:
interval: weekly
day: saturday
open-pull-requests-limit: 10
version: 2
updates:
- package-ecosystem: bundler
directory: "/"
# Vendoring Bundler
vendor: true
schedule:
interval: weekly
day: saturday
open-pull-requests-limit: 10