Conversation
…submodules Dependabot kept opening PRs for `singleton-paymaster/lib/**` package.json files (transitive deps of upstream tests/docs tooling we never install, execute, or bundle). Closing each one is noise. - Add explicit glob negations for `singleton-paymaster/**`, `contracts/lib/**`, and `lib/**` to keep scanning scoped to our code. - Also add `/packages/*` so real workspace deps (e.g. x402-facilitator-node) are still monitored. - Document in the top comment what to do if noise PRs do slip through.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Expand directories scope to cover our actual js surface (subgraph indexer and gasless e2e helpers) and exclude vendored standards/ submodules. Vendored submodule package.json files belong to upstream tooling we never install or run, so they should never trigger version-update PRs. Note: this does not stop GitHub Security Alerts (CVE-driven) which ignore directories scoping by platform design — those still need to be closed manually.
fanhousanbu
reviewed
Apr 25, 2026
Contributor
fanhousanbu
left a comment
fanhousanbu
left a comment
There was a problem hiding this comment.
几个小问题确认一下:
-
/subgraph和/script/gasless-tests是新加的,PR 描述里没提——这两个路径有package.json吗?没有的话可以去掉,避免冗余配置。 -
!/standards/**也没在描述里说明,这个目录是 vendored 内容还是项目自有代码? -
open-pull-requests-limit: 1现在监控了多个目录,一个 PR 没合就会阻塞其他目录的更新,是有意保守设定吗?
fanhousanbu
approved these changes
Apr 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
singleton-paymaster/lib/**package.jsonfiles (transitive deps of upstream tests/docs tooling we never install, execute, or bundle). PRs chore(deps-dev): bump axios from 1.5.1 to 1.15.0 in /singleton-paymaster/lib/openzeppelin-contracts-v5.0.2 #76, chore(deps-dev): bump axios from 1.12.2 to 1.15.0 in /singleton-paymaster/lib/openzeppelin-contracts-v5.1.0 #77, chore(deps): bump follow-redirects from 1.15.6 to 1.16.0 in /singleton-paymaster/lib/openzeppelin-contracts-v5.1.0 #79, chore(deps): bump follow-redirects from 1.15.3 to 1.16.0 in /singleton-paymaster/lib/account-abstraction-v7 #80, chore(deps): bump follow-redirects from 1.15.2 to 1.16.0 in /singleton-paymaster/lib/account-abstraction-v6 #81, chore(deps): bump follow-redirects from 1.15.1 to 1.16.0 in /singleton-paymaster/lib/openzeppelin-contracts-v4.8.3 #82 were all this noise and were closed.singleton-paymaster/**,contracts/lib/**, andlib/**underdirectoriesso those paths stop being scanned./packages/*so real workspace deps (e.g.x402-facilitator-node— see chore(deps): bump @hono/node-server from 1.19.11 to 1.19.13 in /packages/x402-facilitator-node #74, chore(deps): bump hono from 4.12.9 to 4.12.14 in /packages/x402-facilitator-node #86) are still monitored.Test plan
singleton-paymaster/lib/**./and/packages/*when updates are available.