Don't open PR's for security sub-dependencies if there is an update for the parent

[marcaddeo]

So we're running Drupal 8, and using Composer to manage our dependencies. Yesterday symfony put out a security update, which is a sub-dependency of drupal/core. Drupal also put out a security update that updates the symfony/* dependencies.

Today, Dependabot is opening PR's for each symfony/* sub-dependency instead of just updating drupal/core which would update all of them at once.

It would be ideal for Dependabot to be able to resolve the fact that updating the single parent dependency would also update all the sub-dependencies security updates.

[rebelagentm]

Thank you for opening this! We're pretty swamped at the moment, but we'll take this into consideration as soon as we can.

[jeffwidman]

👋 sorry for the slow followup here.

I understand the use case, it makes complete sense as a human. But I don't see a straightforward way to automagically handle this in a consistent way. There are all kinds of edge cases here... for example, if an underlying security update is high severity, but the overall parent project has a low severity risk and requires a breaking change, then the user may only wish to merge the underlying sub dep PR and not the parent PR... so we'd be making some assumptions that may be incorrect if we only open one PR.

What we do instead today is give you all the PR's (which is annoying, I get it) but then as soon as you decide to merge the parent dependency PR, Dependabot will realize that the subdep PR's are no longer needed and automatically close them all.

I'm going to close, but if for some reason I'm overlooking an obvious solution here feel free to comment and we can re-open.