Can I limit dependabot to only open PRs when items in requirements txt have related CVE? #127267
-
Select Topic AreaQuestion BodyI've got dependabot configured in a private repo, where it's scanning our requirements txt file and generating PRs for outdated modules. fwiw, the file isn't named The issue we face is that there are 100+ The PRs to bump I suppose I can ignore those and maybe dependabot will eventually get to some modules which have related CVE, but I wonder.. can I make an adjustment our current file which would say "only create an alert if the upgrade would fix a known vulnerability? version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/Resources/Python-framework-tool" # Location of package manifests
schedule:
interval: "weekly" |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
It seems that the issue is the unconventional name for the requirements file. Renaming it to |
Beta Was this translation helpful? Give feedback.
It seems that the issue is the unconventional name for the requirements file.
Renaming it to
requirements.txt
allowed the behavior I was looking for (after disabling the scanning), I guess it's just an oddity that the version scanning did NOT needs the file namedrequirements.txt