Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider removing package-lock.json from template #276

Open
tormi opened this issue Feb 10, 2022 · 3 comments
Open

Consider removing package-lock.json from template #276

tormi opened this issue Feb 10, 2022 · 3 comments

Comments

@tormi
Copy link
Member

tormi commented Feb 10, 2022

Currently, it's impossible to merge quite frequent dependabot.yml pull requests because these are overwriting our minimally configured package-lock.json. See #274 for example.
@tormi
Copy link
Member Author

tormi commented Feb 10, 2022

Let's investigate if we can exclude files from Dependabot first. Configuration options for dependency updates, https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

@tormi
Copy link
Member Author

tormi commented Feb 10, 2022

There's a Dependabot FR filed to only target package.json file dependabot/dependabot-core#3184

@tormi
Copy link
Member Author

tormi commented Feb 10, 2022

So basically we need similar strategy for manifest file as is available for lockfile (versioning-strategy: lockfile-only). See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#versioning-strategy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tormi