Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
fetch-metadata
Extract information about the dependencies being updated by a Dependabot-generated PR.
Dependabot PM following up a few days late
> Is there an option to tell dependabot "make one PR per week at most ...
You can set the `open-pull-requests-limit: 1` (https://docs.github.com/en/code-security/supply-chain-securi...) and the `schedule.interval: weekly` to limit the number of created PRs to one per week
> ... and bundle your changes"?
We've referred to this feature as "grouped updates" and it's tracked on the roadmap: https://github.com/github/roadmap/issues/148
Potentially using `allow: direct` (https://docs.github.com/en/code-security/supply-chain-securi...) to ignore the random sub dependencies, or ignoring minor versions (https://docs.github.com/en/code-security/supply-chain-securi...) of some/all dependencies might help reduce that noise.
I also get a lot of spam from dependabot because of prereleases, I wish they would fix this bug: https://github.com/dependabot/dependabot-core/issues/2547
As others have pointed out, you can opt for daily / weekly or monthly updates, I'll stick to monthly until they fix this bug.
Dependabot PM here:
We've provided an action that will provide metadata (e.g. semver bump) that you can use to enable granular automerge. See https://github.com/dependabot/fetch-metadata/#enabling-auto-... for an example.