Exclude directory from Dependabot checks

author image Slava Abakumov


Dependabot Example PR

The majority of my WordPress plugin-specific development is happening inside the monorepo setup – where I have several connected plugins stored in the same repository.

As I use GitHub, I also like using its built-in versions and security scanner called Dependabot.

What is Dependabot?

Dependabot is an automated tool by GitHub, part of its Security-focused suite of features. It can notify you if your repository is utilizing a software dependency that has a recognized vulnerability or is simply out-of-date.

This is an opt-in feature, meaning you need to enable it in repository settings. To do that, go to “Settings” and find the Security section item on the left. Over there you should see the “Code security and analysis” link. On the page click Enable for “Dependabot alerts”, “Dependabot security updates”, and “Dependabot version updates”.

To configure it, I would advise reading the official doc with an example dependabot.yml file.

After all the configuration is done, Dependabot will start checking the dependencies for new versions and security vulnerabilities. But sometimes you have kind of a “dead” code in the repo for various reasons, and there is little to no reason to create PRs to bump versions in those directories.

Excluding specific directories generating Pull Requests

If you checked the configuring Dependabot link above, you now know how to adjust the settings on a per-directory basis (where each directory has its own composer.json and/or package.json file).

Unfortunately, Dependabot lacks an easy-to-use way how to exclude certain directories within your monorepo from being scanned/checked at all.

And it’s quite a popular Stackoverflow question and a ton of discussion happening in the dependabot core development repository as well.

Luckily, I found a solution that seems to be working so far for me, but with a caveat.

It’s possible to hide Dependabot notifications via created Pull Requests using this example config added to your devendabot.yml file:

  - package-ecosystem: "npm"
directory: "/some-directory-to-exclude"
interval: "monthly"
labels: [ ]
- dependency-name: "*"

Note the ignore part and its * wildcard.

Technically, Dependabot will continue making all the checks behind the scenes regularly – but it should not create PRs because of the ignore part. And that’s why I set the interval to monthly to decrease the frequency of those useless checks.

Don’t forget to change the package-ecosystem as well.

I got the idea from this doc and this sentence:

You can combine this with dependency-name: "*" to ignore particular update-types for all dependencies.

After pushing those changes, my current Dependabot PRs to the excluded directory were auto-closed. And I hope they won’t be recreated in a month.


Leave a Reply

Your email address will not be published. Required fields are marked *