Dependabot supports npm indirect dependency updating

[Bo98]

Why:

Dependabot appears to be able to tag indirect npm dependencies fine: Homebrew/actions@e9d995f

Adding:

allow:
- dependency-type: all

to dependabot.yml does change the Dependabot update behaviour to include indirect dependencies, so all definitely doesn't do nothing like the docs currently seem to imply.

I'm not sure if there's any caveats in the support in terms of lockfile versions etc.

What's being changed (if available, include any code snippets, screenshots, or gifs):

The list of eco-systems that support indirect updates.

Check off the following:

• I have reviewed my changes in staging, available via the View deployment link in this PR's timeline.

  • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.

• For content changes, I have completed the self-review checklist.

[welcome]

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[github-actions]

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

---

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source	Preview	Production	What Changed
code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md	fpt ghec ghes@ 3.9 3.8 3.7 3.6 3.5	fpt ghec ghes@ 3.9 3.8 3.7 3.6 3.5

---

fpt: Free, Pro, Team
ghec: GitHub Enterprise Cloud
ghes: GitHub Enterprise Server
ghae: GitHub AE

[cmwilson21]

@Bo98 Thanks so much for opening a PR! I'll get this triaged for review ⚡

And welcome to the community! 🎉

If you're looking for ways to contribute while this is waiting for review, please take a look at our help wanted section to find open issues you can work on.

[github-actions]

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀

[mchammer01]

Hi @Bo98 👋🏻 - thanks for submitting this update. I will double-check with the relevant team at GitHub and will get back to you once I've heard from them. Thanks for your patience!

[mchammer01]

Hi @Bo98 - I've reached out to the Dependabot Updates team and unfortunately, we cannot accept this contribution as this npm support is only valid for Dependabot security updates, not Dependabot version updates.
In the mean time, will raise an internal issue for us to discuss the best way to document this. Thanks for your understanding ❤️

[Bo98]

Thanks for checking out with the team! That's interesting, I added dependency-type: all to dependabot.yml and instantly saw a difference in version update behaviour where it opened 6 PRs marked with dependency-type: indirect that it didn't without it. I wonder if that's a bug if it's not supposed to behave like that.

[mchammer01]

@Bo98 - thanks so much for the context, I'll let the team know. Looks like this is a bug.