How to configure to ensure matching versions of nested dependencies
ivanixgames opened this issue · comments
Hello,
Within an organization, we have several private repos used as nested dependencies and we need the common dependencies to match.
I looked at the examples for dependabot/config.yml but could't see a clear way to do this.
I understand that one issue is that dependabot currently does not poll / support internal github packages, but assuming I can find a workaround using github actions, I would like to do the following:
Does this look feasible to do in config.yml and if so how?
@ivanixgames 👋 interesting use case! It's not something you can set up with Dependabot at the moment. It only pulls versions from GitHub Packages at most once a day so would just update everything to the latest version available at that time. If you're using npm/yarn you could use peer dependencies to pin a common dependency at a specific version (example) but Dependabot doesn't actually update this field it only tries to make sure it doesn't update the library to a version where it's violated.
@feelepxyz thanks for the tip! I may be able to get github action handle bumping the peerDepency version