-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider removing package-lock.json from template #276
Comments
Let's investigate if we can exclude files from Dependabot first. Configuration options for dependency updates, https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates |
There's a Dependabot FR filed to only target package.json file dependabot/dependabot-core#3184 |
So basically we need similar strategy for manifest file as is available for lockfile ( |
Currently, it's impossible to merge quite frequent dependabot.yml pull requests because these are overwriting our minimally configured package-lock.json. See #274 for example.
The text was updated successfully, but these errors were encountered: