Dependabot Feature Request: Org/Enterprise-wide ignores

[omsmith]

Select Topic Area

Product Feedback

Body

Hey team

A dependency we use across many different repositories updated earlier today to include undesirable/arguably-malicious behaviour during builds. While we have methods of blocking the relevant versions through internal package manager proxies, usage of them isn't necessarily 100% consistent. It would be nice to have a way to specify ignored packages on an org/enterprise-wide basis to prevent Dependabot from suggesting the update without having to configure it in every repository.

Through a UI I would imagine a workflow in the org/enterprise settings pages:

1. Click Add new global ignore
2. Select package manager from dropdown
3. Text input for dependency name
4. An option for All versions or a "tag list" of version specifications

This easily translates into

      - dependency-name: MyIgnoredDependency

or

      - dependency-name: MyIgnoredDependency
        versions: ["2.x", "3.x"]

Which would be merged into the ignore: property of all configurations for that package-ecosystem.

Alternatively, I could imagine it being configured via the .github repository.

Appreciate the time; hope this resonates.