Skip to content

Enable Dependabot #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 13, 2025
Merged

Enable Dependabot #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2
updates:
- package-ecosystem: "composer" # See documentation for possible values
directory: "/" # Location of package manifests
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
versioning-strategy: increase
Copy link

@coderabbitai coderabbitai bot Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Validate Composer’s versioning strategy; confirm intended behavior

Using versioning-strategy: increase will widen version constraints in composer.json to the latest allowed versions. Ensure this matches your policy (often preferred for apps; libraries might prefer default behavior).

Would you like to confirm Composer supports increase here and that it’s the desired policy? If needed, we can switch to the default behavior by removing the key.

🌐 Web query:

Does Dependabot support `versioning-strategy: increase` for the Composer ecosystem in dependabot.yml? What are the allowed values and their effects?

💡 Result:

Dependabot supports versioning-strategy: increase for the Composer ecosystem in dependabot.yml. The allowed values for versioning-strategy in Composer (and other supported ecosystems) are: auto, increase, increase-if-necessary, lockfile-only, and widen1.

Details of allowed values and their effects:

Value Effect
auto Default: For "app"-type dependencies, increases the minimum version; for "library"-type, widens version range.
increase Always increases the minimum version requirement to match the new version. If a range exists, typically only the lower bound is increased.
increase-if-necessary Changes the constraint only if the new version is not already allowed by the original constraint.
lockfile-only Only updates the lockfile, never modifies the manifest version requirements.
widen Widens the allowed version range to include both the new and old versions, typically only increasing the upper bound.

Example (for composer.json constraint ^1.0.0 → new version 1.2.0 or 2.0.0):

  • increase:
    • 1.2.0^1.2.0
    • 2.0.0^2.0.0
  • increase-if-necessary:
    • 1.2.0^1.0.0 (unchanged if within initial range)
    • 2.0.0^2.0.0 (changed since outside range)
  • widen:
    • 1.2.0^1.0.0
    • 2.0.0>=1.0.0 <3.0.01.

Summary for Composer:
You can use versioning-strategy: increase or any of the above strategies in your Composer section in dependabot.yml to control exactly how manifest version requirements are updated1. The strategies allow fine control over how strict or permissive version bumps are when Dependabot proposes updates.

References:

  • The most up-to-date and authoritative information comes from the official GitHub Docs3.

Citations:

Clarify Composer versioning strategy configuration

File: .github/dependabot.yml
Lines: 8

Using versioning-strategy: increase will bump only the minimum version requirement in your composer.json (i.e. update the lower bound to the new version). It does not widen the upper bound—that’s what the widen strategy does. Make sure always forcing a minimum-version bump aligns with your policy (apps often use it; libraries frequently prefer a more conservative or default approach).

Consider these options instead of (or in place of) increase:

  • auto: default; apps → increase minimum, libraries → widen range
  • increase: always bump the lower bound to the latest version
  • increase-if-necessary: only bump if the new version falls outside the existing constraint
  • lockfile-only: update the lockfile without touching your composer.json
  • widen: extend the version range to include both old and new versions

If you’d rather stick with Dependabot’s default behavior, remove the versioning-strategy key or choose one of the strategies above that best fits your project’s needs.

🤖 Prompt for AI Agents 
.github/dependabot.yml around line 8: the file currently sets
versioning-strategy: increase which only bumps the minimum version (lower bound)
in composer.json and may not be the intended policy; update this key to the
desired strategy (e.g., remove the key to use Dependabot default, or set it to
auto, widen, increase-if-necessary, or lockfile-only depending on whether you
want to widen upper bounds, only adjust lockfile, or use Dependabot’s
app/library defaults) so the composer dependency updates match the project’s
intent.

commit-message:
prefix: "composer"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"