Skip to content

ci: group Dependabot security updates into one PR#33

Merged
ServerSideHannes merged 1 commit into
mainfrom
chore/group-security-updates
May 29, 2026
Merged

ci: group Dependabot security updates into one PR#33
ServerSideHannes merged 1 commit into
mainfrom
chore/group-security-updates

Conversation

@ServerSideHannes
Copy link
Copy Markdown
Owner

@ServerSideHannes ServerSideHannes commented May 29, 2026

Follow-up to #23.

Security updates bypass version-update groups by design, so they open one PR per advisory — currently 3 (idna, urllib3, python-multipart). idna/urllib3 are transitive deps the version-update group can't reach, so disabling security updates isn't safe here.

This adds an applies-to: security-updates catch-all group per ecosystem so all security updates collapse into a single security PR. End state: at most 2 weekly Dependabot PRs — one version-group, one security-group.

@ServerSideHannes
ci: group Dependabot security updates into one PR
950073d 
Security updates ignore version-update groups and open one PR per
advisory (idna, urllib3, python-multipart). Add an applies-to:
security-updates catch-all group per ecosystem so they collapse into a
single security PR, separate from the version-update group.
@ServerSideHannes ServerSideHannes merged commit 01aef88 into main May 29, 2026
4 checks passed
@ServerSideHannes ServerSideHannes deleted the chore/group-security-updates branch May 29, 2026 10:35
This was referenced May 29, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ServerSideHannes