If a pull request triggers a dependency alert, repository contributors can use a bot command to mark the dependency as ignored for the GitHub App.
Marking a dependency as ignored will rerun the pull request alert report and the dependency will be excluded from the new result.
This can be useful if the repository utilizes protected branches that require all checks to pass, and you accept the implications of merging a given dependency change.
Bot commands are issued by a repository contributor by writing a new comment in the pull request discussion, like this:
@SocketSecurity ignore [email protected] [email protected] [email protected]
Bot commands start with
@SocketSecurity ignore followed by a space separated list of
[email protected] specifiers.
Bot commands must be the very first thing written in a comment, must be made by a contributor on the repo and can only be written in comments to the main pull request thread.
Good to know
Reports check the state of the pull request discussion whenever they are run, so re-running older check runs will take into account all the bot commands currently present in the pull request thread.
Multiple comments possible
Pull requests are allowed to have more than one bot command comment in them. All such comments will be taken into account.
To un-ignore a package, edit or delete the comment that ignores the package you no longer want to ignore.
Updated about 2 months ago
Learn how to configure Socket for GitHub: