Add support for update-types in allow block

[Copilot]

What are you trying to accomplish?

Add support for update-types in the allow block of dependabot configuration, enabling users to specify semver-level filtering (major/minor/patch) for allowed updates directly — instead of the counterintuitive workaround of combining allow + ignore.

Fixes #12668.

Related PRs:

• API changes
• CLI: Add UpdateTypes field to Allowed struct cli#605

Example usage:

version: 2
updates:
  - package-ecosystem: "bundler"
    directory: "/"
    schedule:
      interval: "daily"
    allow:
      - dependency-name: "rails"
        update-types:
          - "version-update:semver-minor"
          - "version-update:semver-patch"

Anything you want to highlight for special attention from reviewers?

• allowed_update? in Job now checks update-types against the computed semver update type for the dependency
• Security updates bypass update-types filtering to preserve security-first behavior
• Dependencies without a previous version (new dependencies) are allowed through regardless of update-types
• The dependency_update_type helper reuses the same version comparison logic as the pull request labeler

How will you know you have accomplished your goal?

• All existing tests continue to pass
• New tests cover: all semver update types, combinations, security update bypass, and dependencies without previous versions

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[yeikel]

@kbukum1 Is there any way I can help to move this forward?

[kbukum1]

@kbukum1 Is there any way I can help to move this forward?

I need to check it. I will let you know hopefully by tomorrow.

[kbukum1]

@kbukum1 Is there any way I can help to move this forward?

I need to check it. I will let you know hopefully by tomorrow.

This may take sometime since it is not only dependabot-core. But also need to check on dependabot-api to pass parameters.

[yeikel]

@kbukum1 Is there any way I can help to move this forward?

I need to check it. I will let you know hopefully by tomorrow.

This may take sometime since it is not only dependabot-core. But also need to check on dependabot-api to pass parameters.

Sure, thanks for the update. Just let me know later on if I can support

[kbukum1]

@kbukum1 Is there any way I can help to move this forward?

I need to check it. I will let you know hopefully by tomorrow.

This may take sometime since it is not only dependabot-core. But also need to check on dependabot-api to pass parameters.

Sure, thanks for the update. Just let me know later on if I can support

@yeikel , I am checking this now. Sorry for the delay.

[Copilot]

Pull request overview

Adds update-types support to the Dependabot config allow block so users can semver-filter allowed updates (major/minor/patch) without relying on an allow + ignore workaround.

Changes:

• Extend Dependabot::Job#allowed_update? to apply allow[].update-types filtering based on the dependency’s computed semver update type.
• Add UpdateTypeHelper#update_type_for_dependency and reuse it from Job (and de-duplicate the prior implementation in GroupDependencySelector).
• Add specs covering semver type detection and allow behavior (including security bypass and “no previous version” cases).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
updater/lib/dependabot/job.rb	Applies allow.update-types filtering during allowed_update? evaluation (with security bypass).
updater/lib/dependabot/updater/update_type_helper.rb	Adds update_type_for_dependency helper to compute major/minor/patch from previous vs current versions.
updater/lib/dependabot/updater/group_dependency_selector.rb	Removes the duplicated update_type_for_dependency implementation (relies on shared helper).
updater/spec/dependabot/job_spec.rb	Adds test coverage for allow.update-types semantics across update types and edge cases.
updater/spec/dependabot/updater/update_type_helper_spec.rb	Adds tests for dependency-level update type classification.

[AbhishekBhaskar]

LGTM