Dependencies.io is a product of Dropseed
  • Python
  • Javascript
  • PHP
  • Git
  • Docker
  • Ruby coming soon
  • Java coming soon
  • Go coming soon
  • Rust coming soon
  • iOS coming soon
  • Android coming soon
  • .NET coming soon

Filtering updates

For manifest updates (package.json, composer.json, requirements.txt, etc.), "filters" allow you to specify exactly which updates you want, and for which dependencies. This gives you the ability to restrict some dependencies to only patches and bug fixes, while still taking advantage of major feature releases for other dependencies.

Use the filters field under manifest_updates to decide which updates you want.

version: 2
dependencies:
- type: js
  manifest_updates:
    filters:
    # any packages with "react" in the name will only get minor and patch updates
    - name: '.*react.*'
      versions: L.Y.Y
    # everything else will get major, minor, and patch updates
    - name: ".*"
      versions: Y.Y.Y

For each dependency with available updates, we go through the filters in order, choosing the first that matches the name regular expression.

You can also use filters to completely disable updates for certain dependencies by using the enabled field.

version: 2
dependencies:
- type: js
  manifest_updates:
    filters:
    # completely disable react updates
    - name: '.*react.*'
      enabled: false
    # everything else will get major, minor, and patch updates
    - name: ".*"
      versions: Y.Y.Y

Non-semver compliant versions can use versions_regex instead of verions for filtering. Read on for more details.

More version filtering syntax

With a custom version-filtering syntax, you can flexibly decide exactly which versions you want to be acted on.

For SemVer compliant versioning, you can use our semver filtering, and for anything else you can use regular expressions.

Why?

One filter for a group of dependencies

Our L (version lock) syntax allows you to filter versions based on what you currently have installed. This makes it easy to get all patches to your installed version of every dependency (e.g. L.L.Y), whereas with most semver syntaxes you'd have to manually enter the major and minor range for each dependency (e.g. 3.1.x, 4.0.x, etc.).

New behavior for x/*

In some semver libraries (ex. node-semver), everything after a x or * wildcard range will match. This makes it impossible to get all minor updates without also getting their patches. Our Y (yes) syntax defaults to 0 for everything after it. So to get minor updates without also getting patches, just use L.Y.0. Combine that with OR and you can now get notified about new minor updates to your version, as well as patches to your minor version: L.Y.0 || L.L.Y

Syntax overview

L (version "lock")

Lock this "slot" (major/minor/patch/prerelease) to what you have installed. Lets you quickly filter down to updates to your installed version.

Y ("yes")

Anything in this "slot" (major/minor/patch/prerelease) will match. Slots after it default to 0.

Regular expressions

Not everything follows semantic versioning. If that's the case, you can still filter the versions that you want by using regular expressions. Just use the versions_regex field instead of versions in your dependencies.yml.

Examples

Patches to my installed version
versions: "L.L.Y"
New minor updates to my major version
versions: "L.Y"
# or
versions: "L.Y.0"
New minor updates to my major version and patches to my installed minor version
versions: "L.Y.0 || L.L.Y"
New major releases only
versions: "Y"
# which is the same as
versions: "Y.0.0"
All major, minor, patch, and prerelease versions
versions: "Y.Y.Y-Y"
"nightly" releases
versions_regex: "nightly"