varunzxzx
Reputation: 21
Can dependabot suggest patches for direct dependency?
Currently, dependabot suggests only the vulnerable package patch version(fix) but If I need to upgrade only the direct dependency which consumes the fix.
- Is that possible with dependabot?
- Is this feature part of the backlog?
Upvotes: 1
Views: 317
Answers (1)
Nikhil
Reputation: 21
No, Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch.
Upvotes: 2
Related Questions
- How to update npm nested (vulnerable) dependency?
- How to patch a dependency of a npm library?
- NodeJs: How do I fix package vulnerabilities dependent on another npm package?
- Overriding nested dependencies in Node.js projects to improve "npm audit" vulnerability report
- Update dependencies in NPM to resolve vulnerability
- GitHub detected vulnerability in dependency, but I ran npm update and the dependency didn't update?
- monkey patching at the npm package level?
- How can I use private (git repo) npm dependencies with fuzzy version matching?
- dependency resolution in nodejs with prerelease versions
- NodeJS package.json dependency from github