Skip to content
| Marketplace
Sign in
Azure DevOps>Azure Pipelines>Dependabot

Dependabot

Tingle Software

|
1,126 installs
| (3) | Free
Automatically update dependencies and vulnerabilities in your code

Dependabot Azure DevOps Extension

This is the unofficial dependabot extension for Azure DevOps. It will allow you to run Dependabot inside a build pipeline. You will find it here in the Visual Studio marketplace. You need to install it before running dependabot in your pipeline.

Usage

To use in a YAML pipeline:

- task: dependabot@1
  inputs:
    packageManager: 'nuget'

You can also use a configuration file stored at .azuredevops/dependabot.yml conforming to the official spec.

- task: dependabot@1
  inputs:
    useConfigFile: true

It's up to the user to schedule the pipeline in whatever is correct for their solution.

An example of a YAML pipeline:

trigger: none # Disable CI trigger

schedules:
- cron: '0 2 * * *' # daily at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - master
  batch: true
  displayName: Daily

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  inputs:
    packageManager: 'nuget'
- task: dependabot@1
  inputs:
    packageManager: 'docker'
    directory: '/docker'
    openPullRequestsLimit: 10
    versioningStrategy: 'auto'

Since this task makes use of a docker image, it may take time to install the docker image. You can leverage on Docker caching in Azure Pipelines. See the #113. Subsequent dependabot tasks in a job will be faster after the first one pulls the image for the first time.

Task Parameters

Input Description
useConfigFile Optional Determines if to use the config file or not. Defaults to false.
packageManager Required (when useConfig=false). The type of packages to check for dependency upgrades. Examples: nuget, maven, gradle, npm, etc. See the updated-script or docs for more.
directory Optional. The directory in which dependencies are to be checked. Examples: / for root, /src for src folder.
targetBranch Optional. The branch to be targeted when creating pull requests. When not specified, Dependabot will resolve the default branch of the repository. Examples: master, main, develop
openPullRequestsLimit Optional. The maximum number of open pull requests to have at any one time. Defaults to 5.
versioningStrategy Optional. The versioning strategy to use. See the official docs. Defaults to auto.
failOnException Optional. Determines if the execution should fail when an exception occurs. Defaults to true.
milestone Optional. The identifier of the work item to be linked to the Pull Requests that dependabot creates.
setAutoComplete Optional. Determines if the pull requests that dependabot creates should have auto complete set. When set to true, pull requests that pass all policies will be merged automatically.
mergeStrategy Optional. The merge strategy to use when auto complete is set. Learn more here. Defaults to 2 (Squash merge).
autoApprove Optional. Determines if the pull requests that dependabot creates should be automatically completed. When set to true, pull requests will be approved automatically by the user specified in the autoApproveUserEmail field.
autoApproveUserEmail Optional. Email of the user that should be used to automatically approve pull requests. Required if autoApprove is set to true.
autoApproveUserToken Optional. A personal access token that is assigned to the user specified in autoApproveUserEmail to automatically approve the created PR. Required if autoApprove is set to true.
gitHubConnection Optional. The GitHub service connection for authenticating requests against GitHub repositories. This is useful to avoid rate limiting errors. The token must include permissions to read public repositories. See the GitHub docs for more on Personal Access Tokens and Azure DevOps docs for the GitHub service connection.
gitHubAccessToken Optional. The raw GitHub PAT for authenticating requests against GitHub repositories. Use this in place of gitHubConnection such as when it is not possible to create a service connection.
azureDevOpsAccessToken Optional. The Personal Access Token for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used. In either case, be use the following permissions are granted:
- Code (Full)
- Pull Requests Threads (Read & Write).
See the documentation to know more about creating a Personal Access Token
targetRepositoryName Optional. The name of the repository to target for processing. If this value is not supplied then the Build Repository Name is used. Supplying this value allows creation of a single pipeline that runs Dependablot against multiple repositories.
excludeRequirementsToUnlock Optional. Space-separated list of dependency updates requirements to be excluded. See list of allowed values here. Useful if you have lots of dependencies and the update script too slow. The values provided are space-separated. Example: own all to only use the none version requirement.
dockerImageTag Optional. The image tag to use when pulling the docker container used by the task. A tag also defines the version. By default, the task decides which tag/version to use. This can be the latest or most stable version.
extraEnvironmentVariables Optional. A semicolon (;) delimited list of environment variables that are sent to the docker container. See possible use case here

Advanced

In some situations you might want to override the docker image tag that is pulled. For example, to get the latest bits for testing. This is discouraged. Declare a global variable, for example:

trigger: none # Disable CI trigger

schedules:
- cron: '0 2 * * *' # daily at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - master
  batch: true
  displayName: Daily

# variables declared below can be put in one or more Variable Groups for sharing across pipelines
variables:
  DEPENDABOT_EXTRA_CREDENTIALS: '[{\"type\":\"npm_registry\",\"token\":\"<redacted>\",\"registry\":\"npm.fontawesome.com\"}]' # put the credentials for private registries and feeds
  DEPENDABOT_ALLOW_CONDITIONS: '[{\"dependency-name\":"django*",\""dependency-type\":\"direct\"}]' # packages allowed to be updated
  DEPENDABOT_IGNORE_CONDITIONS: '[{\""dependency-name\":\"express\",\"versions\":[\"4.x\",\"5.x\"]}]' # packages to be ignored

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  inputs:
    packageManager: 'nuget'
- task: dependabot@1
  inputs:
    packageManager: 'docker'
    directory: '/docker'
    openPullRequestsLimit: 10

Check the logs for the image that is pulled.

  • Contact us
  • Jobs
  • Privacy
  • Terms of use
  • Trademarks
© 2022 Microsoft