Please restore ability to work without a configuration file

[intgr]

The old Dependabot Preview was capable of discovering all package managers used in a repository and "just worked". The new GitHub version now requires a vendor-specific yaml file in my git repository.

At the very least, this change should be documented in the documentation "Differences between Dependabot Preview and GitHub-native Dependabot"

[ucirello]

Related to #3597

[intgr]

Ah sorry, I tried searching for duplicates but didn't find that issue.

[asciimike]

@intgr, I've prepped a docs change and it'll be out once I can get it reviewed.

As for the use case--is it the same as what was mentioned earlier (desire for config to live outside the repo), or something else?

[intgr]

Sorry I forgot to reply to this.

I guess my main point is that Dependabot should follow "Convention over configuration". If all my package management files are at their standard locations, Dependabot should be able to discover them and just work with no config file.

[asciimike]

While this is the behavior for security updates, I'm not sure I agree with enabling dependabot version updates by default for all ecosystems in a repo. I think that folks generally do want to have some control over the update schedule (at a minimum), so we either need to build a UI to change this, or provide the same config file.

[intgr]

folks generally do want to have some control over the update schedule

The "Enable Dependabot" feature on GitHub suggests interval: "daily", which seems fine to me and I'll bet for many other users as well. If it's the "default", why do I need any configuration for it? :)

For the kinds of repositories that I maintain, I frankly don't care about the schedule, it could be any time of day or weekly or hourly. I handle them like ordinary pull requests: after they come in, when I find free time I take a look and make a decision.

For people who want more control, sure, why not make them have a configuration file in their repo.

[asciimike]

I'll have to think about the details a bit more, but in general, I think that we'll want to move the product to be:

• enabled via an API/UI (like what we've got for security updates)
• configurable via config file (same file controlling both) (so if you want to opt out of version updates you'd say something like schedule.interval: 'alert_only' or schedule.interval: 'never' to turn off an individual manifest entirely)

I don't think this is going to come soon, as it'll require some work on APIs and a UI, but I do think it's a good long term direction.

[carogalvin]

👋 Hello! Product Manager for Dependabot here. I’m currently doing research into adding/improving configuration for security updates, and am looking for user input. This issue is similar to things I’m thinking about, so if you’re subscribed to this and you’re open to a short conversation with me, please feel free to select a time in my calendar that fits your schedule here: https://calendar.app.google/7RSxjJJo9FdvRHNz7