an option to make MRs only for insecure deps

[lorvent]

Hello,
dependabot says it can check for insecure deps.

is there anyway, we can do same here with kira?

we have a php/laravel application where we use old versions intentionally, it is making MRs for latest versions which could break application.

so i want to know, if there is any way to achieve what i want i.e. let bot create MRs only for security vulnerabilities.

thanks

[sobolevn]

Yes, dependabot can do it: wemake-services/wemake-django-template#749

Here's my idea:

1. Use this method: https://github.com/dependabot/dependabot-core/blob/0549ebab2530b8287654da00ee382e72f4814c54/common/lib/dependabot/update_checkers/base.rb#L106
2. Only allow to create MRs for security updates: next unless checker.vulnerable?
3. Add an option DEPENDABOT_ONLY_SECURITY to make this configurable

Please, report if that works for you.

[lorvent]

thanks for the tip.
unfortunately i have no idea of ruby, so i have to wait till someone makes a PR for it.
thanks.

[sobolevn]

@lorvent ok, I will do it in ~7 days.

[sobolevn]

Still no solution from my side. Sorry. Any ideas?

[lorvent]

are we checking for deps using dependabot api

or directly checking with packagist.org and nmpjs.com ?

depending on that...we should findout may be.

[sobolevn]

Nope, just dependabot. Other options are out of scope of this project.

[lorvent]

but i can't find any api link for dependabot.

can you please provide link?

[sobolevn]

I am not quite familiar with dependabot's code base and ruby (in fact that's my first ruby project and I still do even red a tutorial), but here you go a search reference: https://github.com/dependabot/dependabot-core/search?q=security&unscoped_q=security

[lorvent]

hmm, lets hope someone else will make a PR for it, since they already have option to filter by security update or not.