deps: avoid updates of indirect (transitive) deps

Problem: Dependabot is updating transitive deps (`package-lock.json`) instead of only dependencies that we explicitly declare (`package.json`). Examples: #670 #669 Solution: Revert `dependency-name: '*'`, which was only an experiment. The remove of `dependency-type: 'development'` in 15dfb02 should be enough to fix the problem of missing Dependabot updates, without also inviting updates of transitive deps. See also aws/aws-toolkit-vscode@f102e96
aws · Jan 12, 2024 · a8dd133 · a8dd133
1 parent 1c2efdc
commit a8dd133
Showing 1 changed file with 1 addition and 5 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,6 @@
 # Documentation for configuration options:
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
 
 version: 2
 updates:
@@ -11,8 +11,6 @@ updates:
       directory: '/telemetry/vscode'
       schedule:
           interval: 'daily'
-      allow:
-          - dependency-name: '*'
       groups:
           jest:
               patterns:
@@ -39,8 +37,6 @@ updates:
       directory: '/telemetry/csharp'
       schedule:
           interval: 'daily'
-      allow:
-          - dependency-name: '*'
       groups:
           xunit:
               patterns: