Are security-only updates supported?
See original GitHub issueHi,
We like to use this great extension for our security updates on Azure Devops Services. Is it possible to only create pull requests for security updates?
We tried with dependency-type":"security"
- found on https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/src/script/update-script.rb#L173
But it gives always: not allowed, e.g:
Checking if gulp-scss-lint needs updating
Requirements to unlock own
Updating gulp-scss-lint is not allowed
Tested with gulp-scss-lint 0.7.2 (link to GitHub security database) and log4net 2.0.9 (link to GitHub security database)
full yaml:
trigger: none # Disable CI trigger
schedules:
- cron: '0 2 * * *' # daily at 2am UTC
always: true # run even when there are no code changes
branches:
include:
- master
- main
batch: true
displayName: Daily
# variables declared below can be put in one or more Variable Groups for sharing across pipelines
variables:
DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":".*","dependency-type":"security"}]' # packages allowed to be updated
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
steps:
- task: dependabot@1
inputs:
useConfigFile: true
full package.json:
{
"name": "Sample frontend",
"version": "0.1.0",
"private": true,
"scripts": {},
"dependencies": {
"axios": "^0.21.0",
"core-js": "^3.6.5",
"guid-typescript": "^1.0.9",
"vee-validate": "^3.4.5",
"vue": "^2.6.11",
"vue-cleave-component": "^2.1.3",
"vuex": "^3.6.2",
"gulp-scss-lint": "0.7.2"
},
"devDependencies": {
"@types/jest": "^24.0.19",
"@typescript-eslint/eslint-plugin": "^2.33.0",
"@typescript-eslint/parser": "^2.33.0",
"@vue/cli-plugin-babel": "~4.5.0",
"@vue/cli-plugin-eslint": "~4.5.0",
"@vue/cli-plugin-typescript": "~4.5.0",
"@vue/cli-plugin-unit-jest": "~4.5.0",
"@vue/cli-service": "~4.5.0",
"@vue/eslint-config-prettier": "^6.0.0",
"@vue/eslint-config-typescript": "^5.0.2",
"@vue/test-utils": "^1.0.3",
"copy-modules-webpack-plugin": "^2.1.1",
"eslint": "^6.7.2",
"eslint-plugin-prettier": "^3.1.3",
"eslint-plugin-vue": "^6.2.2",
"flush-promises": "^1.0.2",
"jest-junit": "^12.0.0",
"lint-staged": "^9.5.0",
"prettier": "^1.19.1",
"sass": "^1.26.5",
"sass-loader": "^8.0.2",
"typescript": "~3.9.3",
"vue-svg-loader": "^0.16.0",
"vue-template-compiler": "^2.6.11"
}
}
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Windows server Security Only Patch and Monthly rollup ...
An update that collects all the new security updates for a given month and for a given product, addressing security-related vulnerabilities.
Read more >From KBs to CVEs: Understanding the Relationships ...
Security-Only Updates (SO) contain security updates for the month in which they are released, and each update is product-specific.
Read more >Windows 7 update guide: How 'security-only' and 'monthly ...
Security-only updates are significantly smaller than monthly rollups. On average, the former amounted to about 16% of the latter during the 14 ...
Read more >Update rollups for Windows
Security-only updates are product specific that includes all the security updates whereas, Monthly Rollups are cumulative set of updates which addresses both ...
Read more >Best practices for Patch Management
As of February 2017, the Security-only Update does not include updates for Internet Explorer (IE); the IE update is available as a separate...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hello @mburumaxwell, why did you close it as ‘not planned’? I think that this enhancement would be very useful. Even if you don’t have time, maybe there will be someone brave enough to try to submit PR 😉
I think this feature is a must have.
We tried changing the ruby script in the past, but unfortunately you really need some Ruby skills.