Skip to content

Allow users to switch to native tool versions on demand #14139

New issue
New issue
Open
Open
Allow users to switch to native tool versions on demand#14139
Labels
L: javascriptT: feature-requestRequests for new features
@yeikel

Description

@yeikel
yeikel
opened on Feb 9, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Feature description

Dependabot currently comes with fixed versions of native tools, such as npm:

dependabot-core/npm_and_yarn/Dockerfile

Lines 9 to 24 in c18cade

ARG PNPM_VERSION=10.16.0
# Check for updates at https://github.com/yarnpkg/berry/releases
# With every major release update, also update npm_and_yarn/lib/dependabot/npm_and_yarn/yarn_package_manager.rb (Section : Update instructions)
ARG YARN_VERSION=4.9.2
# See https://github.com/nodesource/distributions#installation-instructions
# Always update NODEJS_VERSION with a compatible NPM_VERSION
# See https://nodejs.org/en/about/previous-releases#looking-for-the-latest-release-of-a-version-branch for more information
# Note : Always use the Active LTS version
ARG NODEJS_VERSION=24
# Check for updates at https://github.com/npm/cli/releases
# This version should be compatible with the NODEJS_VERSION version declared above. See https://nodejs.org/en/download/releases as well
# With every major release update, also update npm_and_yarn/lib/dependabot/npm_and_yarn/npm_package_manager.rb (Section : Update instructions)
ARG NPM_VERSION=11.7.0

This approach generally works, but when a user specifies a particular version, Dependabot still relies on the pre-installed tool, disregarding preferences set through the engine field, .nvmrc, or similar configuration files. Relying on the global binary means using the latest installed version, which usually works, but occasionally a new release introduces a bug, fix, or breaking change that can affect how your project is installed.

Ideally, Dependabot should respect these configurations and install or switch to the requested version as needed.

Additional context

The initial logic for this was introduced in #13607, but it only supports switching at the major version level.

As highlighted in issues like #13931, there is a need for more granular control over tool versions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    L: javascriptT: feature-requestRequests for new features

    Type

    No type

    Projects

    Dependabot

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions