Skip to content

Dependabot is sometimes enabled on forks #21343

New issue
New issue
Closed
Closed
Dependabot is sometimes enabled on forks#21343
Labels
dependenciesPull requests that update a dependency file
@evverx

Description

@evverx
evverx
opened on Nov 13, 2021

According to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates#enabling-version-updates-on-forks

Version updates are not automatically enabled on forks when a dependabot.yml configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a dependabot.yml configuration file from the original repository

but according to dependabot/dependabot-core#2804 (comment)

Dependabot version updates (setup from config file) isn't enabled by default on new forks but will be if security updates has ever been turned on and since disabled.

which means that apparently in some cases forks will receive PRs from Dependabot and the only workaround is

The workaround for now is to delete the fork and re-create it without enabling Dependabot security updates

I don't think it affects a lot of forks but to be sure it would be great if all issues related to PRs from Dependabot could be discussed here.

To somewhat mitigate the issue the number of PRs Dependabot can create will be limited: #21342

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions