Question: What config file to use

[0xCLARITY]

The Dependabot website says I should use a .dependabot/config.yml to configure Dependabot.

However, Github documentation says I should use a .github/dependabot.yml file for configuration.

Which of these is correct? Both? Is one deprecated?

[stefstelea]

Following up on the above, it looks like .dependabot/config.yml is v2 and the new way to configure it, however the documentations seems to be outdated. The properties were renamed in v2 and I cannot seem to find a list of optional properties in v2, for example ignored_updates and default_labels are not recognised any longer, could you please provide a link to updated documentation for all the options that could be used? (I found ignored_updates was now changed to updates for example)

[infin8x]

Sorry for the confusion.

GitHub-native Dependabot uses the github/dependabot.yml configuration file - full docs here.

The pre-acquisition version of Dependabot (which you manage on Dependabot.com) uses the .dependabot/config.yml file. If you still manage your Dependabot repos through Dependabot.com, you should use the legacy configuration file and documentation.

I'll get a clarifying note posted on this page https://dependabot.com/docs/config-file/ to help reduce confusion. Thanks for raising this issue.

[patcon]

The new config is much-improved, so THANK YOU! Related: is dependabot/dependabot-core being deprecated? I'm not seeing mention of it anywhere

[infin8x]

@patcon glad you like it!

dependabot-core is not deprecated, no. It's still the logic we use to create Dependabot update jobs.

[patcon]

Thanks for quick reply! Might be worth mentioning somewhere prominent in README during the launch of native functionality -- people can get a bit reactive (and fall away from being their best selves) when they worry about FOSS things getting shuffled away <3

[0xCLARITY]

Is the legacy version of Dependabot more powerful than the GitHub-native version?

It looks like I can't specify automerged_updates with the GitHub native version. Is that correct?

[patcon]

My impression was that v2 was more expansive in scope. But no specific insight on automerged. There is some merge style config that I didn't use

[infin8x]

@hbergren good question! Unfortunately, we made the decision not to bring auto-merge functionality forward to GitHub-native Dependabot. Full reasoning for that is here: dependabot/dependabot-core#1823 (comment)

[infin8x]

I'm going to close this issue as I believe the original question (which config file to use) is answered (and we've also updated https://dependabot.com/docs/config-file/ with a note to help disambiguate in the future). Please re-open if the question isn't answered or feel free to open another issue for other questions.