Dependabot version updates can now ignore major/minor/patch releases

Dependabot version updates now have the ability to ignore major, minor, or patch updates for a specific dependency or set of dependencies. For instance, you can use this feature to quiet noisy dependencies or easily avoid major version bumps across multiple dependencies.

You can ignore semver updates by modifying the ignore configuration option to ignore one or more update-types:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      # ignore all GitHub linguist patch updates
      - dependency-name: "github-linguist"
        update-types: ["version-update:semver-patch"]

Note: this feature only applies to version updates. If you have security updates enabled, you will still get pull requests updating you to the minimum patched version.

Learn more about Dependabot ignore conditions.

To see what's next for Dependabot, visit the public roadmap.

Starting June 16 2021, GitHub-hosted Ubuntu runners will only contain the latest patch release for each supported version of the .NET SDK.

You will not be affected if you use setup-dotnet action. However, If you use a global.json file with a rollForward: disable property, your workflow will fail. To continue using .NET SDK, change your workflow to use setup-dotnet action or use some other value for rollForward property.

The setup-dotnet action is the recommended way of using .NET with GitHub Actions because it ensures consistent behavior for your workflow runs and allows you specify exactly which version your code needs. For more information please see the GitHub Actions documentation and subscribe to the announcement in the actions/virtual-environments repository.

See more

The GitHub Advisory Database now includes sixty curated Go advisories and will continue to grow as we curate existing and new advisories for the Go ecosystem. The addition of Go brings us to seven ecosystems including: Composer (PHP), Go, Maven, npm, NuGet, pip, and RubyGems. We are also in the process of reviewing repository security advisories for Go packages for possible inclusion in the GitHub Advisory Database.

Support for Go in dependency graph and Dependabot alerts and security updates will be available in the future.

See more