How do I ignore one dependency, disable version updates, and still keep Dependabot security updates working? #197516

Derek777-dev · 2026-05-31T23:16:38Z

Derek777-dev
May 31, 2026

🏷️ Discussion Type

Question

Body

What I want is:

a private registry for npm
to ignore all updates for lodash
to disable normal version update PRs
to still group Go security updates by package name

I am not fully sure about the best way to structure the config.
What is the correct Dependabot setup for this?

Guidelines

I have read and understood this category's guidelines before making this post.

Answered by MoemenSuper

May 31, 2026

Use ignore for lodash, open-pull-requests-limit: 0 to stop version update PRs, and a groups rule with applies-to: security-updates for the Go dependencies. Also make sure the registry name under updates.registries matches the registry you defined in the top-level registries section.

View full answer

MoemenSuper · 2026-05-31T23:18:50Z

MoemenSuper
May 31, 2026

Use ignore for lodash, open-pull-requests-limit: 0 to stop version update PRs, and a groups rule with applies-to: security-updates for the Go dependencies. Also make sure the registry name under updates.registries matches the registry you defined in the top-level registries section.

0 replies

This comment was marked as spam.

Sign in to view

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

How do I ignore one dependency, disable version updates, and still keep Dependabot security updates working? #197516

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

This comment was marked as spam.

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

GitHub Community

How do I ignore one dependency, disable version updates, and still keep Dependabot security updates working? #197516

Uh oh!

Derek777-dev May 31, 2026

🏷️ Discussion Type

Body

Guidelines

Replies: 2 comments

This comment was marked as spam.

Uh oh!

MoemenSuper May 31, 2026

Derek777-dev
May 31, 2026

MoemenSuper
May 31, 2026