chore(ci): add .github/dependabot.yml — weekly dep updates for 3 ecosystems (Phase 5)#185
Merged
Merged
Conversation
…ystems (Phase 5)
Closes one of the Phase 5 housekeeping items from the 14-subagent
self-audit (2026-05-21) parking-lot. New Dependabot v2 config covers
QuantRank's three dependency ecosystems:
- **pip** — pyproject.toml at repo root (Python compute layer)
- **npm** — frontend/package.json (Next.js frontend)
- **github-actions** — .github/workflows/ (CI actions)
Design choices:
- Weekly cadence (Monday 08:00 Asia/Bangkok) — daily too noisy for a
solo-maintained project, monthly drifts CVE-fix latency too long
- Minor + patch grouped into one PR per ecosystem (reduces PR count
when multi-package sweeps land upstream); security updates always
separate at top priority (Dependabot default)
- Commit-prefix scheme `chore(deps-{py|npm|ci})` matches the project's
existing `chore(X):` convention (feat / docs / fix / chore)
- open-pull-requests-limit capped 5/5/3 per ecosystem so the PR queue
stays manageable against active claude/* branches
Explicit ignore — `next` / `react` / `react-dom` / `@types/react*`
MAJOR bumps:
- Tracked under issue #41 (Next 14 → 16 needs scoped breaking-change
migration with dependency-auditor triage; bundling into a routine
Dependabot PR would footgun the App Router async-API migration)
- Minor + patch + security updates on those packages still file
automatically — those are safe to merge
NOT included in this PR:
- Issue #41 Next 14 → 16 migration itself (HIGH effort, needs
dependency-auditor triage + breaking-change inventory + own session)
- Issue #137 9arm-skills vendor (BLOCKED on upstream license —
maintainer action, not autonomous work)
- Baseline-snapshot tagging on main for Section E delta tracking
(separate Phase 5 sub-task; not bundled here)
No compute / schema / scoring / valuation / frontend code change —
pure .github/ addition. The next Dependabot run lands the Monday
after merge. Verification: ruff clean, schema_check in sync,
yaml.safe_load() validates the config structure.
CLAUDE.md + AGENTS.md lockstep entries added. Two prior in-flight
entries (PR #184 METHODOLOGY refresh) updated to "merged".
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dackclup
added a commit
that referenced
this pull request
May 22, 2026
…e 5, partial #41) (#194) Partial progress on issue #41 (Next.js 14.2 → 16 CVE refresh) via a within-branch patch bump that closes the 8 advisories #41 originally itemized at filing time, without breaking-change migration. Changes: - frontend/package.json: next 14.2.15 → 14.2.35 - frontend/package.json: eslint-config-next 14.2.15 → 14.2.35 (lockstep with next minor; same major-pin convention) - frontend/package.json: postcss 8.4.38 → 8.5.15 (direct devDep) - frontend/package.json: new "overrides": { "postcss": "8.5.15" } (forces next's nested exact-pin postcss@8.4.31 to lift transitively — closes XSS advisory GHSA-qx2v-qp2m-jg93) - frontend/package-lock.json: regenerated (147 lines, net -91 via dedupe) CVEs closed by this PR (8 of next's original advisories): - GHSA-7m27-7ghc-44w9 DoS Server Actions (fix <14.2.21) - Info exposure in dev server (fix <14.2.30) - Cache key confusion next/image (fix <14.2.31) - Improper middleware redirect SSRF (fix <14.2.32) - Content injection next/image (fix <14.2.31) - Race condition cache poisoning (fix <14.2.24) - DoS Server Components CVSS 7.5 (fix <14.2.34) - DoS Server Components incomplete-fix follow-up (fix <14.2.35) - postcss XSS via </style> stringify (fix <8.5.10) Issue #41 STAYS OPEN. 14 new `next` advisories surfaced on the npm advisory DB between 2026-05-13 (issue filed) and 2026-05-22 (this PR), ALL requiring `<15.5.16` to fix — none have a 14.2.x backport. All 14 target SSR / Server-Components / middleware / runtime features QuantRank doesn't use (we ship static export only, no SSR runtime, no middleware, no rewrites). Real exploitability for the static-export site remains zero per #41's own original risk rating, but `npm audit` cannot infer the static-export posture so the advisories still surface in CI. The remaining 14 → 16 migration (App Router async APIs + React 18 → 19 typing + Node 20+ + eslint-config-next 16.x) is release-tag-cleanliness, not security-critical. Dependency-auditor verdict 2026-05-22: SAFE-TO-MERGE as a focused patch PR. Confirmed zero breaking changes in 14.2.15 → 14.2.35 range (Next.js public changelog: 14.2.x is security-only releases; no App Router API changes, no next.config.js renames, no static- export pipeline changes). Verification: - ruff check . — clean - python -m pytest tests/ -m "not network" -q — 1059/1059 passed - npx tsc --noEmit — clean - npx next build — clean, all 506 static routes generated - npm install — lockfile regenerated without conflict - npm audit --omit=dev — original 8 + postcss CVEs all closed No compute / schema / scoring / valuation / Python code change — frontend dep-bump only. CLAUDE.md + AGENTS.md lockstep entries added; two prior in-flight entries (PR #185 dependabot config) updated to "merged". Co-authored-by: Claude <noreply@anthropic.com>
dackclup
pushed a commit
that referenced
this pull request
May 22, 2026
…charts/eslint-config-next majors Durable YAML backstop after Dependabot's first wave (2026-05-22) filed 4 major-bump PRs from the config that landed in PR #185: - PR #190 `eslint 8.57.0 → 10.4.0` — frontend build FAILED (eslint 9+ flat config breaks `eslint-config-next 14.2.x` legacy `.eslintrc`) - PR #191 `typescript 5.4.5 → 6.0.3` — frontend build FAILED (TS6 strict-mode + new lib.dom typings surface previously-silent `any`-flow issues) - PR #192 `@types/node 20.12.7 → 25.9.1` — GREEN (type-only metadata; pending user authorize merge) - PR #193 `recharts 2.12.7 → 3.8.1` — frontend build FAILED (recharts 3 restructured chart-component API; needs touching all 4 chart surfaces in one scoped migration) PR #190 / #191 / #193 closed via `@dependabot ignore this major version` comment commands. This PR adds the same 3 deps PLUS `eslint-config-next` to `.github/dependabot.yml`'s `ignore:` block as a durable YAML-level backstop — survives Dependabot server resets and per-PR comment-ignore-history garbage collection. Total npm ignore entries grow 5 → 9 (existing React-stack: `next`, `react`, `react-dom`, `@types/react`, `@types/react-dom`; new: `eslint`, `eslint-config-next`, `typescript`, `recharts`). Minor + patch + security updates on ALL these packages STILL file automatically — the ignore only blocks `version-update:semver-major` transitions. Issue #41 still owns the scoped breaking-change migration for the React-stack majors. `recharts 3` would be a separate chart-library- migration work item if/when it becomes priority (no security advisories on 2.12.7, so cosmetic-only). No compute / schema / scoring / valuation / Python / TypeScript / frontend code change — `.github/` + docs lockstep only. Also fixes a stale "in flight" → "merged" reference for PR #185 + adds PR #194 cross-link in CLAUDE.md §Phase status. Verification: ruff clean; YAML parses to v2 with 3 ecosystems and 9 npm ignore entries.
dackclup
pushed a commit
that referenced
this pull request
May 22, 2026
…charts/eslint-config-next majors Durable YAML backstop after Dependabot's first wave (2026-05-22) filed 4 major-bump PRs from the config that landed in PR #185: - PR #190 `eslint 8.57.0 → 10.4.0` — frontend build FAILED (eslint 9+ flat config breaks `eslint-config-next 14.2.x` legacy `.eslintrc`) - PR #191 `typescript 5.4.5 → 6.0.3` — frontend build FAILED (TS6 strict-mode + new lib.dom typings surface previously-silent `any`-flow issues) - PR #192 `@types/node 20.12.7 → 25.9.1` — GREEN (type-only metadata; pending user authorize merge) - PR #193 `recharts 2.12.7 → 3.8.1` — frontend build FAILED (recharts 3 restructured chart-component API; needs touching all 4 chart surfaces in one scoped migration) PR #190 / #191 / #193 closed via `@dependabot ignore this major version` comment commands. This PR adds the same 3 deps PLUS `eslint-config-next` to `.github/dependabot.yml`'s `ignore:` block as a durable YAML-level backstop — survives Dependabot server resets and per-PR comment-ignore-history garbage collection. Total npm ignore entries grow 5 → 9 (existing React-stack: `next`, `react`, `react-dom`, `@types/react`, `@types/react-dom`; new: `eslint`, `eslint-config-next`, `typescript`, `recharts`). Minor + patch + security updates on ALL these packages STILL file automatically — the ignore only blocks `version-update:semver-major` transitions. Issue #41 still owns the scoped breaking-change migration for the React-stack majors. `recharts 3` would be a separate chart-library- migration work item if/when it becomes priority (no security advisories on 2.12.7, so cosmetic-only). No compute / schema / scoring / valuation / Python / TypeScript / frontend code change — `.github/` + docs lockstep only. Also fixes a stale "in flight" → "merged" reference for PR #185 + adds PR #194 cross-link in CLAUDE.md §Phase status. Verification: ruff clean; YAML parses to v2 with 3 ecosystems and 9 npm ignore entries.
dackclup
added a commit
that referenced
this pull request
May 22, 2026
…charts/eslint-config-next majors (#195) Durable YAML backstop after Dependabot's first wave (2026-05-22) filed 4 major-bump PRs from the config that landed in PR #185: - PR #190 `eslint 8.57.0 → 10.4.0` — frontend build FAILED (eslint 9+ flat config breaks `eslint-config-next 14.2.x` legacy `.eslintrc`) - PR #191 `typescript 5.4.5 → 6.0.3` — frontend build FAILED (TS6 strict-mode + new lib.dom typings surface previously-silent `any`-flow issues) - PR #192 `@types/node 20.12.7 → 25.9.1` — GREEN (type-only metadata; pending user authorize merge) - PR #193 `recharts 2.12.7 → 3.8.1` — frontend build FAILED (recharts 3 restructured chart-component API; needs touching all 4 chart surfaces in one scoped migration) PR #190 / #191 / #193 closed via `@dependabot ignore this major version` comment commands. This PR adds the same 3 deps PLUS `eslint-config-next` to `.github/dependabot.yml`'s `ignore:` block as a durable YAML-level backstop — survives Dependabot server resets and per-PR comment-ignore-history garbage collection. Total npm ignore entries grow 5 → 9 (existing React-stack: `next`, `react`, `react-dom`, `@types/react`, `@types/react-dom`; new: `eslint`, `eslint-config-next`, `typescript`, `recharts`). Minor + patch + security updates on ALL these packages STILL file automatically — the ignore only blocks `version-update:semver-major` transitions. Issue #41 still owns the scoped breaking-change migration for the React-stack majors. `recharts 3` would be a separate chart-library- migration work item if/when it becomes priority (no security advisories on 2.12.7, so cosmetic-only). No compute / schema / scoring / valuation / Python / TypeScript / frontend code change — `.github/` + docs lockstep only. Also fixes a stale "in flight" → "merged" reference for PR #185 + adds PR #194 cross-link in CLAUDE.md §Phase status. Verification: ruff clean; YAML parses to v2 with 3 ecosystems and 9 npm ignore entries. Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes one of the Phase 5 housekeeping items from the 14-subagent self-audit (2026-05-21) parking-lot. New Dependabot v2 config covers QuantRank's three dependency ecosystems.
/(pyproject.toml)chore(deps-py)/frontendchore(deps-npm)/(workflows)chore(deps-ci)Design choices
chore(X):convention (feat / docs / fix / chore)next/react/react-dom/@types/react*MAJOR bumps explicitly ignored — tracked under Bump Next.js 14.2 → 16 (security CVEs + dep refresh) #41 (Next 14 → 16 needs scoped breaking-change migration withdependency-auditortriage). Minor + patch + security on those packages still file automatically.NOT in scope
dependency-auditortriage + breaking-change inventory + own session. Per Bump Next.js 14.2 → 16 (security CVEs + dep refresh) #41's own scope note, QuantRank ships static export → most of the 23 CVEs are non-applicable (no SSR / no middleware / no image-opt runtime / no rewrites runtime). Risk rating from Bump Next.js 14.2 → 16 (security CVEs + dep refresh) #41: "Low actual exploitability, high CVE-noise onnpm audit."Test plan
ruff check .— clean (only Python imports lint)python -m compute.output.schema_check— in sync (no schema touch)python3 -c "import yaml; yaml.safe_load(open('.github/dependabot.yml'))"— parses to v2 with 3 ecosystemsCLAUDE.md + AGENTS.md lockstep
Both touched on this branch. Also updated 2 prior in-flight entries (PR #184 METHODOLOGY refresh) to "merged".
https://claude.ai/code/session_01HHo4UHKc9iKKytkKfxfVnA
Generated by Claude Code