Dependabot raising PRs for devDependencies when it's configured not to #11542
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/alphagov/govspeak-visual-editor/blob/main/package.json
dependabot.yml content
https://github.com/alphagov/govspeak-visual-editor/blob/main/.github/dependabot.yml
Updated dependency
alphagov/govspeak-visual-editor#229
"Bump prettier from 3.4.2 to 3.5.0"
What you expected to see, versus what you actually saw
In alphagov/govspeak-visual-editor@7a8008d, we configured Dependabot to only raise PRs for production dependencies. As 'prettier' is in the
devDependenciesarray in package.json, and as 3.4.2=>3.5.0 does not contain a security patch, we were not expecting Dependabot to raise a PR to update this.I've searched existing issues (#3475, #3479) which suggest that I have configured dependabot.yml correctly.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
alphagov/govspeak-visual-editor#229
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: