Dependabot: grouped updates #148

github-product-roadmap · 2021-01-13T19:59:44Z

Summary

Today, Dependabot security updates always send one PR per package updated. So, if you have a security update that affects JUnit, and you have 5 pom.xml files that each list JUnit as a dependency, you'll get 5 pull requests. With this change, we'll instead send one secuirty update PR for all instances of a vulnerable package in a single repository.

Intended Outcome

Reduce the volume of Dependabot PRs a user needs to review to address a single vulnerability.

How will it work?

For a new vulnerability, instead of sending one PR per dependency, Dependabot will send one PR per repo.

github locked and limited conversation to collaborators Jan 13, 2021

github-product-roadmap added this to Q3 2021 – Jul-Sep in GitHub public roadmap Jan 13, 2021

github-product-roadmap added all cloud ga security & compliance labels Jan 13, 2021

github-product-roadmap moved this from Q3 2021 – Jul-Sep to Future in GitHub public roadmap May 12, 2021

github-product-roadmap added the tpm staffed label Jun 9, 2021

Sid-ah removed the tpm staffed label Jun 9, 2021

Sid-ah added the dependabot label Sep 27, 2021

Sep	OCT	Nov
	27
2020	2021	2022

github / roadmap Public

Dependabot: grouped updates #148

Dependabot: grouped updates #148

github-product-roadmap commented Jan 13, 2021

github / roadmap Public

Dependabot: grouped updates #148

Dependabot: grouped updates #148

Comments

github-product-roadmap commented Jan 13, 2021

Summary

Intended Outcome

How will it work?