Dependabot is sometimes enabled on forks #21343
Comments
|
This one is really annoying... As the upstream issues are open for a long time already I guess this will not be fixed any time soon. 😒 |
Unfortunately, it seems to be the only way to get rid of those PRs I'm not sure why it opened eworm-de#4 and eworm-de#5 though. Both those updates were blocked in #21505 and #21574. |
|
I'm not sure if it helps but all those PRs are also auto-closed once forks get updated so in principle if PRs like eworm-de#4 were blocked explicitly by using something like https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#ignore in the systemd repository most forks updated at least once a week would never get Dependabot PRs. |
|
Judging by https://github.blog/changelog/2022-11-07-dependabot-pull-requests-off-by-default-for-forks/ it was fixed |
According to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates#enabling-version-updates-on-forks
but according to dependabot/dependabot-core#2804 (comment)
which means that apparently in some cases forks will receive PRs from Dependabot and the only workaround is
I don't think it affects a lot of forks but to be sure it would be great if all issues related to PRs from Dependabot could be discussed here.
To somewhat mitigate the issue the number of PRs Dependabot can create will be limited: #21342
The text was updated successfully, but these errors were encountered: