可以通过向你的 dependabot.yml
文件添加选项来自定义你的 Dependabot 配置以满足你的需求。 例如,可以确保 Dependabot 使用正确的包清单文件,并仅更新要维护的依赖项。
本文整理了可能有用的自定义选项。
针对清单文件定义多个位置
如果要为存储在多个位置的清单文件启用 Dependabot version updates,可以使用 directories
来代替 directory
。 例如,此配置为存储在不同目录中的清单文件设置两个不同的更新计划。
# Specify the locations of the manifest files to update for each package manager # using both `directories` and `directory` version: 2 updates: - package-ecosystem: "bundler" # Update manifest files stored in these directories weekly directories: - "/frontend" - "/backend" - "/admin" schedule: interval: "weekly" - package-ecosystem: "bundler" # Update manifest files stored in the root directory daily directory: "/" schedule: interval: "daily"
# Specify the locations of the manifest files to update for each package manager
# using both `directories` and `directory`
version: 2
updates:
- package-ecosystem: "bundler"
# Update manifest files stored in these directories weekly
directories:
- "/frontend"
- "/backend"
- "/admin"
schedule:
interval: "weekly"
- package-ecosystem: "bundler"
# Update manifest files stored in the root directory daily
directory: "/"
schedule:
interval: "daily"
-
使用模式指定一系列目录
YAML # Specify the root directory and directories that start with "lib-", # using globbing, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "/" - "/lib-*" schedule: interval: "weekly"
# Specify the root directory and directories that start with "lib-", # using globbing, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "/" - "/lib-*" schedule: interval: "weekly"
-
在当前目录和递归子目录中指定清单
YAML # Specify all directories from the current layer and below recursively, # using globstar, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "**/*" schedule: interval: "weekly"
# Specify all directories from the current layer and below recursively, # using globstar, for locations of manifest files version: 2 updates: - package-ecosystem: "composer" directories: - "**/*" schedule: interval: "weekly"
忽略特定依赖项
如果尚未准备好采用项目中某些依赖项的更改,可以将 Dependabot 配置为在打开版本更新和安全更新的拉取请求时忽略这些依赖项。 可使用以下方法之一来执行此操作。
- 为
dependabot.yml
文件中的依赖项配置ignore
选项。- 可以使用此选项来忽略特定依赖项、版本和更新类型的更新。
- 有关详细信息,请参阅“Dependabot 选项参考”中的
ignore
。
- 对 Dependabot 拉取请求使用
@dependabot ignore
注释命令进行版本更新和安全更新。- 可以使用注释命令来忽略特定依赖项和版本的更新。
- 有关详细信息,请参阅“管理依赖项更新的所有拉取请求”。
以下一些示例展示了可以如何使用 ignore
来自定义更新的依赖项。
-
忽略特定版本之外的更新
YAML ignore: - dependency-name: "lodash:*" # Ignore versions of Lodash that are equal to or greater than 1.0.0 versions: [ ">=1.0.0" ]
ignore: - dependency-name: "lodash:*" # Ignore versions of Lodash that are equal to or greater than 1.0.0 versions: [ ">=1.0.0" ]
YAML ignore: - dependency-name: "sphinx" versions: [ "[1.1,)" ]
ignore: - dependency-name: "sphinx" versions: [ "[1.1,)" ]
-
忽略补丁更新
YAML ignore: - dependency-name: "@types/node" # Ignore patch updates for Node update-types: ["version-update:semver-patch"]
ignore: - dependency-name: "@types/node" # Ignore patch updates for Node update-types: ["version-update:semver-patch"]
-
若要忽略特定版本或一系列版本,请参阅“忽略特定版本或一系列版本”。
如果要取消忽略依赖项或忽略条件,可以从 dependabot.yml
文件中删除忽略条件或重新打开拉取请求。
对于已分组更新的拉取请求,还可以使用 @dependabot unignore
注释命令。 @dependabot unignore
注释命令可通过注释 Dependabot 拉取请求来执行以下操作:
- 取消忽略特定忽略条件
- 取消忽略特定依赖项
- 取消忽略 Dependabot 拉取请求中所有依赖项的所有忽略条件
有关详细信息,请参阅“管理依赖项更新的所有拉取请求”。
允许更新特定依赖项
可以使用 allow
告知 Dependabot 你想要维护的依赖项。 allow
通常与 ignore
结合使用。
有关详细信息,请参阅“Dependabot 选项参考”中的 allow
。
默认情况下,Dependabot 仅为清单中显式定义的依赖项(direct
依赖项)创建版本更新拉取请求。 此配置使用 allow
来告知 Dependabot 我们希望它维护 all
类型的依赖项。 也就是说,同时包括 direct
依赖项及其依赖项(也称为间接依赖项、子依赖项或暂时性依赖项)。 此外,配置会告知 Dependabot 忽略名称与模式 org.xwiki.*
匹配的所有依赖项,因为我们有一个不同的过程来维护它们。
Tip
Dependabot 可检查所有被允许的依赖项,然后筛选掉任何被忽略的依赖项。******** 如果依赖项与 allow 和 ignore 语句匹配,则会被忽略。********
version: 2 registries: # Helps find updates for non Maven Central dependencies maven-xwiki-public: type: maven-repository url: https://nexus.xwiki.org/nexus/content/groups/public/ username: "" password: "" # Required to resolve xwiki-common SNAPSHOT parent pom maven-xwiki-snapshots: type: maven-repository url: https://maven.xwiki.org/snapshots username: "" password: "" updates: - package-ecosystem: "maven" directory: "/" registries: - maven-xwiki-public - maven-xwiki-snapshots schedule: interval: "weekly" allow: # Allow both direct and indirect updates for all packages. - dependency-type: "all" ignore: # Ignore XWiki dependencies. We have a separate process for updating them - dependency-name: "org.xwiki.*" open-pull-requests-limit: 15
version: 2
registries:
# Helps find updates for non Maven Central dependencies
maven-xwiki-public:
type: maven-repository
url: https://nexus.xwiki.org/nexus/content/groups/public/
username: ""
password: ""
# Required to resolve xwiki-common SNAPSHOT parent pom
maven-xwiki-snapshots:
type: maven-repository
url: https://maven.xwiki.org/snapshots
username: ""
password: ""
updates:
- package-ecosystem: "maven"
directory: "/"
registries:
- maven-xwiki-public
- maven-xwiki-snapshots
schedule:
interval: "weekly"
allow:
# Allow both direct and indirect updates for all packages.
- dependency-type: "all"
ignore:
# Ignore XWiki dependencies. We have a separate process for updating them
- dependency-name: "org.xwiki.*"
open-pull-requests-limit: 15
忽略特定版本或一系列版本
可以将 versions
与 ignore
结合使用来忽略特定版本或一系列版本。
有关详细信息,请参阅“Dependabot 选项参考”中的 versions
。
-
忽略特定版本
YAML ignore: - dependency-name: "django*" # Ignore version 11 versions: [ "11" ]
ignore: - dependency-name: "django*" # Ignore version 11 versions: [ "11" ]
-
忽略一系列版本
YAML ignore: - dependency-name: "@types/node" versions: ["15.x", "14.x", "13.x"] - dependency-name: "xdg-basedir" # 5.0.0 has breaking changes as they switch to named exports # and convert the module to ESM # We can't use it until we switch to ESM across the project versions: ["5.x"] - dependency-name: "limiter" # 2.0.0 has breaking changes # so we want to delay updating. versions: ["2.x"]
ignore: - dependency-name: "@types/node" versions: ["15.x", "14.x", "13.x"] - dependency-name: "xdg-basedir" # 5.0.0 has breaking changes as they switch to named exports # and convert the module to ESM # We can't use it until we switch to ESM across the project versions: ["5.x"] - dependency-name: "limiter" # 2.0.0 has breaking changes # so we want to delay updating. versions: ["2.x"]
指定要忽略的语义化版本控制级别
可以使用 update-types
指定要忽略的一个或多个语义化版本控制 (SemVer) 级别。
有关详细信息,请参阅“Dependabot 选项参考”中的 update-types
。
在此示例中,Dependabot 将忽略 Node 的补丁更新。
version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" ignore: - dependency-name: "express" # For Express, ignore all updates for version 4 and 5 versions: ["4.x", "5.x"] # For Lodash, ignore all updates - dependency-name: "lodash" - dependency-name: "@types/node" # For Node types, ignore any patch versions update-types: ["version-update:semver-patch"]
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
ignore:
- dependency-name: "express"
# For Express, ignore all updates for version 4 and 5
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
- dependency-name: "@types/node"
# For Node types, ignore any patch versions
update-types: ["version-update:semver-patch"]
定义版本控制策略
默认情况下,Dependabot 会尝试提高它识别为应用的依赖项的最低版本要求,并放宽允许的版本要求以包括它识别为库的依赖项的新旧版本。
可以更改此默认策略。 有关详细信息,请参阅“Dependabot 选项参考”中的 versioning-strategy
。
在此示例中,Dependabot 将提高最低版本要求以匹配应用和库的新版本。
version: 2 updates: - package-ecosystem: npm directory: "/" schedule: interval: daily # Increase the minimum version for all npm dependencies versioning-strategy: increase
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
# Increase the minimum version for all npm dependencies
versioning-strategy: increase
在此示例中,如果原始约束不允许新版本,Dependabot 才将提高最低版本要求。****
version: 2 updates: - package-ecosystem: pip directory: "/" schedule: interval: daily open-pull-requests-limit: 20 rebase-strategy: "disabled" # Increase the version requirements for npm # only when required versioning-strategy: increase-if-necessary
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 20
rebase-strategy: "disabled"
# Increase the version requirements for npm
# only when required
versioning-strategy: increase-if-necessary
更新供应的依赖项
可以指示 Dependabot 在更新特定依赖项时供应它们。
Dependabot 自动为 Go 模块维护供应的依赖项,并且你可以配置 Bundler 来更新供应的依赖项。
有关详细信息,请参阅“Dependabot 选项参考”中的 vendor
。
在此示例中,对于 Bundler,vendor
设置为 true
,这意味着 Dependabot 还将为 Bundler 维护存储在仓库中的 vendor/cache 目录中的依赖项。__
version: 2 updates: - package-ecosystem: bundler directory: "/" # Vendoring Bundler vendor: true schedule: interval: weekly day: saturday open-pull-requests-limit: 10
version: 2
updates:
- package-ecosystem: bundler
directory: "/"
# Vendoring Bundler
vendor: true
schedule:
interval: weekly
day: saturday
open-pull-requests-limit: 10