Add support for docker-compose.yml files

[robaiken]

What are you trying to accomplish?

Adding support for docker-compose.yml files in the docker package of dependabot-core. This will allow Dependabot to handle dependency updates in Docker Compose files alongside regular Dockerfile updates.

This addresses issue #390

Big thanks to @pedropombeiro for the initial implementation of this feature and @oceanBT for keeping the PR alive

How will you know you've accomplished your goal?

Dependabot successfully detects and updates dependencies in docker-compose.yml files automatically.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Aaron-Ritter]

@robaiken I am so happy to see this being addressed!

I noticed you focus on docker-compose.yml (sometimes spelled docker-compose.yaml), since some time compose.yaml is the preferred file name https://docs.docker.com/compose/intro/compose-application-model/, could you please make sure to include all 4 varriations?

• compose.yaml (preferred)
• compose.yml
• docker-compose.yaml
• docker-compose.yml

[swissbuechi]

@Aaron-Ritter

Good point.

In some project you'll even find things like compose-dev.yml or docker-compose.dev.yaml and many more fancy variations of this environment based file naming pattern.

Of course, using Compose Profiles could solve the need for multiple compose files, but projects providing a compose file for self-hosting maybe don't want to include everything dev related by default.

@robaiken
Could the files that are needed to be scanned be configured in the dependabot.yml?

[robaiken]

Hi @Aaron-Ritter and @swissbuechi 👋

The file fetcher for Docker Compose already handles all the standard naming variations you mentioned:

• compose.yaml/yml
• docker-compose.yaml/yml
• dot notation patterns (like compose.dev.yaml)
• all common suffixes (.dev, .local, .prod, .staging, etc.)

@swissbuechi I've updated the regex to also support environment-specific compose files with hyphenated patterns (like compose-dev.yaml). Thanks for the suggestion.

Could the files that are needed to be scanned be configured in the dependabot.yml?

we currently have limited support for this. Feel free to submit a feature request if you'd like to see expanded configuration options for compose file patterns.

[Aaron-Ritter]

One more question @robaiken, am i understanding it correctly that you add docker_compose as a own Package Manager rather than extending docker?

Why i am asking is because the docker package manager at the moment takes care of both Dockerfile as well as kubernetes yaml configurations.

[robaiken]

@Aaron-Ritter We're intentionally keeping docker compose separate from the docker image manager to avoid the complexity that comes from combining ecosystems. While combining them might seem convenient, it often leads to "magic" behavior that's hard to debug. Separate ecosystems = clearer boundaries and more predictable behavior.