Create dependabot.yml config to only scan core dependencies

Question

Create dependabot.yml config to only scan core dependencies

Closed this issue 3 months ago · 1 comments

By default, dependabot scans all python dependencies and requirements.txt files in the repository. ~95% of these are for examples, which trigger false positives for vulnerable packages that have low potential for exploit. Dependabot should only scan the following for vulnerable dependencies:

-setup.py
-requirements-linters.txt
-requirements-test.txt
-docs/requirements-docs.txt
-openfl-tutorials/experimental/requirements_workflow_interface.txt

Answer 1 · 2024-10-04T04:37:52.000Z

Fixed with #1077.