Avoid bumping to versions which are not Long Term Support (LTS) version

[dmabamboo]

Hi,

Is there a way to avoid dependabot offering non-LTS versions of Node.JS? We don't want to run any non-LTS versions but don't want to miss out on updates to the LTS version.

Regards,
Daniel

[greysteil]

Hey Daniel,

Interesting question. Is there a particular PR that's getting it wrong? If you link to that (you can email me on support@dependabot.com) then I'll have a think about specially how Dependabot could do better there.

[dmabamboo]

Sorry @greysteil I didn't follow it up, sent you an email as requested.
Regards,
Dan

[lucas42]

Hi,
   I was wondering whether you came to any conclusions from your email discussion on this?
I'm interested in the same thing, but didn't want to raise something new if it's already been looked into.

Cheers,
       Luke

[rebelagentm]

@lucas42 Grey is no longer working on Dependabot (he's moved to security in general at GitHub), but I looked back through that support conversation, and I believe this was the conclusion:

• It would be tricky from a Dependabot standpoint to have something specific to Node and LTS, but Grey didn't shut the door completely to the possibility.

That being said, the team is currently pretty swamped scaling Dependabot for GitHub, so it would be some time before we could get to looking into this. Since there is interest in this, I'm going to re-open this issue so we have it on our list.

[lucas42]

Thanks!
I'm only using dependabot for some personal projects to begin with, so happy to upgrade to the latest and greatest of each release.

But if we were to roll it out across various team at work, this would be a must-have feature.

Cheers

[rebelagentm]

Thanks for the feedback, @lucas42! We'll keep that in mind once we're able to turn our attention back to working on enhancements like this.

[oittaa]

Just encountered this issue when dependabot tried to update node from 14.16.0-alpine3.13 to 15.11.0-alpine3.13

oittaa/firebase-docker#1

[TanguyChiffoleau]

An implementation of such a feature would be so great

[asciimike]

Can you use ignore conditions to ignore odd versions, e.g.:

version: 2
updates:
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      - dependency-name: "node"
        versions: ["15.x", "17.x", ...]

I recognize that it's not automatic (e.g. we can't automatically ignore odd versions), but it only requires an update every six months (at most, you could even drop in the first few now...), which feels better than always closing the PR.

[domenic]

That doesn't work for the six month period (like the one we're in now with Node v16) where an even version is "current" but not yet promoted to "active LTS".

[asciimike]

@domenic thanks for following up; is there a way to know if a version is LTS purely by looking at it, or would we have to add code to look at https://nodejs.org/en/about/releases/ and add six months (or manually update it every several years)?

Seems like that the ignore would technically work, it would just have to be manually removed after the six month period.