Dependabot Gem Updates

[nroose]

Select Topic Area

Question

Body

A few months ago, we enabled Dependabot's updates for non-security updates. I thought it would update gems within the version restrictions set up in our Gemfile. But there are many available updates and it doesn't usually do them. It does update the Gemfile sometimes to change the version restrictions we have set. This usually just fails our tests, and we can't merge those PRs. Is this intended? Seems bad to change version restrictions we have set.

[ericpd]

Dependabot's non-security updates feature is designed to automatically update your dependencies to their latest versions, even if the new version does not fall within the version restrictions set up in your Gemfile. This is because Dependabot's goal is to keep all of your dependencies up-to-date and secure.

However, it is important to note that Dependabot should not be changing the version restrictions you have set without your knowledge or consent. If you are experiencing issues where your tests are failing due to version conflicts caused by Dependabot updates, it may be worth reviewing your Gemfile and evaluating whether the version restrictions you have set are too narrow or overly specific.

If you believe that Dependabot is changing your version restrictions without your consent, you can review its configuration settings in your repository to ensure that it is behaving as expected. You may also want to consider adjusting your settings or disabling the non-security updates feature altogether if it is causing too many issues for your team.

[nroose]

There are numerous gems that have updates that it's not creating PRs to update.. I don't want/need it to do updates to the Gemfile, just Gemfile.lock. I don't see any settings documentation about that. It's not doing it without our permission, just creating PRs that are failing tests and just noise, but not creating PRs on many updatable gems and that would be useful.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬