How to handle version requirements
By default we don't send you pull requests for gems/packages where you specified a version constraint in your Gemfile/package.json.
This assumes you only set constraints when you know you don't want to update. If you specify versions for all your gems/packages, it makes sense to also send you pull requests for new versions of those. Because you wouldn't get very many updates from Depfu otherwise.
An example
Let’s use an example package named "great-library", which has just released version 12.1.0
A. You have either no version specified in the Gemfile/package.json, or the new version is within the specified version range:
gem 'great-library' # or gem 'great-library', '~> 12.0'
"dependencies": { "great-library": "^12.0.0" }
In this case, we only need to update the lockfile and see if the tests are still running after the update.
B. The new version is not within the specified version range:
gem 'great-library', '~> 11.3'
"dependencies": { "great-library": "^11.0.0" }
Here, if we would want to update to 12.1.0, we’d have to bump the version range in your Gemfile/package.json as well, just updating the lockfile isn't enough:
gem 'great-library', '~> 12.0'
"dependencies": { "great-library": "^12.1.0" }
It depends
If you made the effort to actually specify a version range, chances are that you really don’t want to update the gem outside of that range.
Of course, it’s often not as simple as that. We’ve seen all sorts of reasons why teams lock versions - Sometimes they, after an upgrade of a package, found some subtle bugs and didn’t have the time to fully investigate, so they roll back the upgrade and lock the version to a working one. And, as these things go, nobody ever gets back to do the actual investigation and so the dependency rot begins.
Your choice
If you want pull requests for out-of-spec updates, you can configure that in the project settings. By default it is disabled unless we detect that you specify versions for all packages, then we enable it since we otherwise couldn't sent you any updates at all.
If you need even more fine-grained control, you can also combine this with pausing packages.