Skip to content

Commit bcc8973

Browse files
dsotirakiskbukum1Sharra-writesam-stead
authored
Add known case with monorepos (#38273)
Co-authored-by: kbukum1 <kbukum1@github.com> Co-authored-by: Sharra-writes <sharra-writes@github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
1 parent 9cd2e77 commit bcc8973

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,27 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var
8888

8989
You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies).
9090

91+
92+
## Why does {% data variables.product.prodname_dependabot %} sometimes fail to detect or update {% data variables.product.prodname_actions %} versions in monorepos?
93+
94+
If your repository contains multiple {% data variables.product.prodname_actions %} (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions.
95+
96+
- **Dash (`-`) separator** (for example, `@my-action-v0.1.0`):
97+
- {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions.
98+
- **Slash (`/`) separator** (for example, `@my-action/v0.1.0`):
99+
- {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic.
100+
101+
**Recommendation:** For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently.
102+
103+
* Example:
104+
```yaml
105+
# Recommended: namespaced with slash
106+
uses: my-org/monorepo/my-action@my-action/v0.1.0
107+
108+
# Not recommended: dash
109+
uses: my-org/monorepo@my-action-v0.1.0
110+
```
111+
91112
## Further reading
92113
93114
* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)

0 commit comments

Comments
 (0)