Hey folks!

First off, thanks for the great product. It's been a pleasure to use and has made a great impact on teams in the org I work at.

On topic, my question: Is there a way to control who can change specific configurations for a project being monitored by Dependabot? Failing that, is there a straightforward way to know when Dependabot configs change for a project and who made those changes?

The problem I'm trying to solve at the moment is to prevent people from disabling Dependabot for a particular repository. Failing that, I'd like to be able to programmatically know when this happens.

As far as I can tell, there isn't a way to do fine grained access control within Dependabot's UI or API. Lacking that, the only way I see to know when such changes are made is to poll the config API on a relatively short interval.

Thoughts? Suggestions? Thanks again for your time!

Thanks for the feedback @damien.

The permissions in the Dependabot UI mirror a user's GitHub permissions - if you have write access to a repo then you can make changes to its Dependabot setup, if you don't then you can't.

We don't currently show an audit log for changes, but for your use case have you thought about using config files? That way, any changes (or deletions) will be included in your git history.

Hey @greysteil!

Thanks for getting back to me, and sorry for the delayed response—busy week on my end.

I understand what you're saying, and Github's permissions schemes can also be a frustration when attempting to implement the kinds of controls I'm describing. If that's the state of things, we'll deal with it.

That said, I'm specifically trying to avoid the need to add config files to each project. As you mentioned, people with write access to a Github repo have the same perms on Dependabot. This means that any controls implemented via a config file can also be changed by people with write access to a repo.

Additionally, bulk edits to Dependabot config files don't scale well with large numbers of Github repos under an org. My employer's Github org is well over 700 repositories, and we're hoping to enforce Dependabot CVE PRs for all of them.

On another note: Are allowing for these types of controls something you folks at Dependabot are interested in supporting, or does that not fit into the design or roadmap of the product as you guys see it?

Thanks again for your time! Great product, I'm just trying to figure out how to best use it for the teams I support. 😄

Got you, and that's super interesting feedback - thanks!

This is definitely something we're interested in supporting. For the moment the permission structure isn't something we can easily make changes to, so I'd recommend going with config files and / or API polling, but we'll get to this in future.

@greysteil Fantastic! I notice you guys have a feedback repo with issues that this ticket would probably have been more appropriate for. Do you folks advertise a roadmap I can follow? Failing that, has there been any official communication about near-mid term priories or features you fine folks are working on?

I'd love to stay on top of any improvements you folks make, so any info is greatly appreciated!

There’s not been as much as there should be! Previously we’ve published new features on the blog, and the feedback repo is a good place to see little things we’re fixing (but likely to be a bit noisy).

High level, right now we’re doing a bunch of robustness work smoothing our all/any rough edges in existing languages, in prep for larger projects come May.

Good to know! I’ll keep an eye on the blog. Thanks again!