Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Are security-only updates supported?

See original GitHub issue

Hi,

We like to use this great extension for our security updates on Azure Devops Services. Is it possible to only create pull requests for security updates?

We tried with dependency-type":"security" - found on https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/src/script/update-script.rb#L173

But it gives always: not allowed, e.g:

Checking if gulp-scss-lint  needs updating
Requirements to unlock own
Updating gulp-scss-lint is not allowed

Tested with gulp-scss-lint 0.7.2 (link to GitHub security database) and log4net 2.0.9 (link to GitHub security database)

full yaml:

trigger: none # Disable CI trigger

schedules:
- cron: '0 2 * * *' # daily at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - master
      - main
  batch: true
  displayName: Daily

# variables declared below can be put in one or more Variable Groups for sharing across pipelines
variables:
  DEPENDABOT_ALLOW_CONDITIONS: '[{"dependency-name":".*","dependency-type":"security"}]' # packages allowed to be updated

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  inputs:
    useConfigFile: true

full package.json:

{
  "name": "Sample frontend",
  "version": "0.1.0",
  "private": true,
  "scripts": {},
  "dependencies": {
    "axios": "^0.21.0",
    "core-js": "^3.6.5",
    "guid-typescript": "^1.0.9",
    "vee-validate": "^3.4.5",
    "vue": "^2.6.11",
    "vue-cleave-component": "^2.1.3",
    "vuex": "^3.6.2",
    "gulp-scss-lint": "0.7.2"
  },
  "devDependencies": {
    "@types/jest": "^24.0.19",
    "@typescript-eslint/eslint-plugin": "^2.33.0",
    "@typescript-eslint/parser": "^2.33.0",
    "@vue/cli-plugin-babel": "~4.5.0",
    "@vue/cli-plugin-eslint": "~4.5.0",
    "@vue/cli-plugin-typescript": "~4.5.0",
    "@vue/cli-plugin-unit-jest": "~4.5.0",
    "@vue/cli-service": "~4.5.0",
    "@vue/eslint-config-prettier": "^6.0.0",
    "@vue/eslint-config-typescript": "^5.0.2",
    "@vue/test-utils": "^1.0.3",
    "copy-modules-webpack-plugin": "^2.1.1",
    "eslint": "^6.7.2",
    "eslint-plugin-prettier": "^3.1.3",
    "eslint-plugin-vue": "^6.2.2",
    "flush-promises": "^1.0.2",
    "jest-junit": "^12.0.0",
    "lint-staged": "^9.5.0",
    "prettier": "^1.19.1",
    "sass": "^1.26.5",
    "sass-loader": "^8.0.2",
    "typescript": "~3.9.3",
    "vue-svg-loader": "^0.16.0",
    "vue-template-compiler": "^2.6.11"
  }
}

Issue Analytics

State:
Created 2 years ago
Reactions:4
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

pciarachcommented, Jul 4, 2022

Hello @mburumaxwell, why did you close it as ‘not planned’? I think that this enhancement would be very useful. Even if you don’t have time, maybe there will be someone brave enough to try to submit PR 😉

0reactions

304NotModifiedcommented, Jul 4, 2022

I think this feature is a must have.

We tried changing the ruby script in the past, but unfortunately you really need some Ruby skills.

Top Results From Across the Web

Windows server Security Only Patch and Monthly rollup ...

An update that collects all the new security updates for a given month and for a given product, addressing security-related vulnerabilities.

From KBs to CVEs: Understanding the Relationships ...

Security-Only Updates (SO) contain security updates for the month in which they are released, and each update is product-specific.

Windows 7 update guide: How 'security-only' and 'monthly ...

Security-only updates are significantly smaller than monthly rollups. On average, the former amounted to about 16% of the latter during the 14 ...

Update rollups for Windows

Security-only updates are product specific that includes all the security updates whereas, Monthly Rollups are cumulative set of updates which addresses both ...

Best practices for Patch Management

As of February 2017, the Security-only Update does not include updates for Internet Explorer (IE); the IE update is available as a separate...