Search code examples
c#nugetdependabot

Dependabot - Ignoring NuGet package versions

I'm trying to get dependabot up and and running with C# projects that have NuGet dependencies, and configure it to ignore certain versions of packages, such as .NET 7 packages.

Things I have tried:

Various variations of the .github/dependabot.yml file, example below.

version: 2
registries:
  nuget-private:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/{teamName}/_packaging/{teamName}/nuget/v3/index.json
    token: ':{patToken}'
  nuget-public:
    type: nuget-feed
    url: https://api.nuget.org/v3/index.json
updates:
  - package-ecosystem: nuget
    directory: '/'
    registries: '*'
    schedule:
      interval: weekly
    open-pull-requests-limit: 50
    ignore:
      - dependency-name: 'Microsoft.EntityFrameworkCore'
        versions: ['7.x']
      - dependency-name: 'Microsoft.EntityFrameworkCore.Relational'
        versions: ['7.x']

Specifying versions in the project.csproj file.

<ItemGroup>
   <PackageReference Include="Microsoft.EntityFrameworkCore" Version="6.0.14" allowedVersions="[6,7)" />
   <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="6.0.14" allowedVersions="[6,7)" />
   <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
</ItemGroup>

Nothing I try seems to work, and I get PRs for .NET 7 package versions. If this were working as expected, I would expect a PR for version 6.0.15.

Have searched for hours but can't seem to come across anyone having similar issues. Any help would be appreciated.

Solution

  • Right, the solution was simple.

    versions: ['7.*']

    Job done.

    EDIT:

    Following the recent release of .NET 8, our pipelines started triggering updates for .NET 8 unexpectedly.

    We've decided to switch to the update-types syntax as documented at https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore

    This is an example of what we have configured:

        ignore:
      - dependency-name: 'Microsoft.Extensions.Caching'
        update-types: ['version-update:semver-major']
      - dependency-name: 'Microsoft.Extensions.Caching.*'
        update-types: ['version-update:semver-major']

    This way, Dependabot ignores any major version releases, not just the .NET 7 releases.