Description
I'm trying to convert the tinglesoftware/dependabot-azure-devops community Dependabot implementation over to Dependabot CLI; it currently uses the dry-run.rb and updater scripts to perform updates, which is problematic because they do not use the credentials proxy container.
Everything works well so far using Dependabot CLI, except for security-only updates.
I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in job.yml, but you don't know what the dependencies are until you've already run a dependabot update first and parsed the dependency list from output.yml.
For example:
job:
package-manager: npm_and_yarn
security-updates-only: true
dependencies:
- express # how would I know this is a dependency before executing `dependabot update`?
security-advisories:
- dependency-name: express
affected-versions:
- <5.0.0
patched-versions: []
unaffected-versions: []Do you have any advise on how I could solve this problem?
It would be ideal if there was a command like dependabot list, that was able return the "update_dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?
The only way I can currently work around this issue is to do two "updates"; First with security-updates-only: false so I can parse the discovered dependency list, then a 2nd update with security-updates-only: true and the dependencies list populated.
Activity