GitHub Community
Dependabot dependency scope yarn support #20339
Replies: 3 comments
-
|
I would love to see support for this too. I currently work around this limitation with an auto-labelling workflow leveraging the https://github.com/dependabot/fetch-metadata action for direct dependencies and There are two limitations with this approach though:
It seems running |
Beta Was this translation helpful? Give feedback.
-
|
@David-Hart-i2 thanks for you post, npm uses package-lock.json files, which provides more information about the dependencies and their versions, whereas yarn uses yarn.lock files do not provide this information in the same format.
No answer for you on roadmap. Keep checking maybe. |
Beta Was this translation helpful? Give feedback.
-
|
Has this now been fixed? I started seeing the development label on a bunch of Dependabot alerts. These used to previously all be labelled as runtime scoped. I could not find any official announcement for this though. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
It is great to see the ability to filter dependency alerts on scope (development vs runtime). I notice from the changelog documentation that npm is supported but yarn is not.
https://github.blog/changelog/2022-06-23-dependabot-alerts-filter-alerts-by-the-scope-of-the-dependency-runtime-and-development/
Is this just because the ecosystem parser only reads package-lock.json files, and not yarn.lock files?
I don't see anything on the public roadmap for enhancing this behavior to include the yarn ecosystem, is it work that is planned?
Many thanks
Beta Was this translation helpful? Give feedback.
All reactions