From on September 21, 2017 15:54
In my project, I have capybara in my Gemfile, which depends upon nokogiri >= 1.3.3.
Currently, I have nokogiri (1.8.0) installed.
Why hasn't dependabot prompted me to install nokogiri 1.8.1?
Doing bundle update nokogiri locally does succeed in creating a new Gemfile.lockwith an updated version ofnokogiriandmini_portile2`
Copied from original issue: dependabot/feedback#22
该提问来源于开源项目:dependabot/dependabot-core
分享 Hey ,
I've been wondering when this was going to come up! At the moment, Dependabot doesn't bump sub-dependencies, except when bumping the parent dependency (which means #21 is the other side of this issue).
We decided to start out with the above approach because we were worried about the sheer number of PRs we'd be creating when bumping sub-dependencies. By their nature, they're things your less interested in than your primary dependencies, so they were a good candidate to ignore.
However, I can see arguments for updating them, too - the nokogiri example is a good one - 1.8.1 is a security patch, so you definitely want it.
I think the best compromise would be for Dependabot to continue to create single-dependency PRs for primary dependencies, but create an additional "update sub-dependencies" PR each day when required, which would combine many updates. Would that make sense to you? It's quite a bit of work on our side, so won't happen immediately, but I'm keen to get clarity on the best possible solution.
分享
