Grouped Security PRs for Dependabot Public Beta Feedback

[carogalvin]

Select Topic Area

General

Body

We want YOUR feedback on Dependabot grouped security updates!

We know Dependabot is noisy. We see the memes. And we get it! Resolving Dependabot’s pull requests can feel like a Sisyphean task - never ending toil where you close one PR and several more pop up in their place. This is where grouped updates come in - single PRs that resolve multiple updates at once.

We already released grouped updates for scheduled version updates, and now we have released the public beta for grouping for security updates.

If you’ve had a chance to try it out, we'd love to hear your feedback on 1) what's working for you, 2) what needs to change, and 3) what you'd like us to tackle next!

What are grouped security updates?

Dependabot will collect all available security updates in a repository and attempt to open one pull request with all of them, per ecosystem, across directories. There is no further configuration available yet.

• Dependabot will NOT group across ecosystem (e.g. it will not group pip updates and npm updates together)
• Dependabot WILL group across directories (e.g. if you have multiple package.json’s in different directories in the same repository)
• If you have version updates enabled as well, Dependabot will NOT group security updates with version updates
• If you use grouping for version updates, your groups configuration in dependabot.yml will NOT apply to security updates

📖 Helpful information:

• How to enable grouped security updates
• More information on Dependabot security updates
• More information on Dependabot version updates

[samigt]

How long does it take to group existing PRs after the feature is enabled ?

[carogalvin]

It should happen within a few minutes of clicking the "Enable" button! If there's an error, you should be able to see it from the Alert view in the repo: Security > Dependabot, and click on an alert there should be an update for

[wlynch]

Dependabot WILL group across directories (e.g. if you have multiple package.json’s in different directories in the same repository)

💯 Nice!

Are there any examples of how to configure this? I can't find any relevant fields in the groups configuration (though maybe I'm looking in the wrong place). 🤔

[carogalvin]

Hi @wlynch , grouping across directories is only for grouped security updates (not grouped version updates, which is configured with groups) - it's not customizable right now and will group across all directories for security updates when enabled.

Further customization for this (and bringing it to grouped version updates) is on our roadmap!