From 7bd1caea5f8df09ba1f8ca3f9ad0e4726d8cee8e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 23 Sep 2025 16:47:52 -0700 Subject: [PATCH 1/2] Update Dependabot options reference for clarity Clarify behavior of 'increase-if-necessary' option in Dependabot. --- .../working-with-dependabot/dependabot-options-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md index d97b41840f72..e2adeb2f8551 100644 --- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -782,7 +782,7 @@ When `versioning-strategy` is defined, {% data variables.product.prodname_depend |--------|--------| | `auto` | Default behavior.| | `increase`| Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound. | -| `increase-if-necessary` | Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint. | +| `increase-if-necessary` | If the existing rule already allows the new version, Dependabot leaves the manifest file unchanged, but will still update the lockfile to use the latest version. If the existing rule does not allow the new version (for example, when a new major release falls outside the range), Dependabot will also update the manifest constraint. | | `lockfile-only` | Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. | | `widen`| Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement. | From bd58ba168bb2606291325b63f4aacdbe3970882e Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Thu, 25 Sep 2025 12:22:33 -0700 Subject: [PATCH 2/2] Update content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md --- .../working-with-dependabot/dependabot-options-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md index e2adeb2f8551..65639b20917f 100644 --- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -782,7 +782,7 @@ When `versioning-strategy` is defined, {% data variables.product.prodname_depend |--------|--------| | `auto` | Default behavior.| | `increase`| Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound. | -| `increase-if-necessary` | If the existing rule already allows the new version, Dependabot leaves the manifest file unchanged, but will still update the lockfile to use the latest version. If the existing rule does not allow the new version (for example, when a new major release falls outside the range), Dependabot will also update the manifest constraint. | +| `increase-if-necessary` | Leave the version requirement unchanged if it already allows the new release (Dependabot still updates the resolved version). Otherwise widen the requirement. | | `lockfile-only` | Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. | | `widen`| Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement. |