Disable dependabot PR for update package-lock.json

[yoshinorin]

What is the problem

dependabot PRs are super noisy for me. Especially, updates for package-lock.json PRs. Below PRs are examples.

• chore: bump mocha from 10.0.0 to 10.2.0 hexo-cli#438
• chore: bump minimatch from 3.0.4 to 3.1.2 hexo-cli#443
• chore: bump json5 from 2.1.3 to 2.2.3 hexo-cli#449

If we will migrate to monorepo, this problem may become better. But, we need more time to do it (maybe hexo v8.0.0 or higher?)

So, personally I want to disable them.

Q1. How to disable them

I assume the ignore option seems effective. But not sure. Does someone know about this option?

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore

Q2. May we disable them if possible?

@hexojs/core
May we disable them if possible?

---

Thank you :)

[lorezyra]

Why not change the frequency in the config file: .github/dependabot.yml ?

version: 2
updates:
- package-ecosystem: npm
  directory: "/"
  schedule:
    interval: monthly
  open-pull-requests-limit: 20

Change the updates.schedule.interval to a time period you can tolerate. You can also define what dependencies to ignore and allow for scanning.

[tomap]

I'd say that those updates are never time sensitive. And indeed, we could remove a ton of noise by reducing the frequency.

[yoshinorin]

Yes, one of the alternative solutions is that. We can become better with this issue by updating interval if we can't find other solutions.

Thank you :)

[tomap]

As for the package lock file, why not. Maybe just remember to update them to the latest every now and then

[stevenjoezhang]

See also #3370