Skip to content

chore: remove example/fixture lockfiles from git to reduce Dependabot noise#8334

Merged
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/reduce-dependabot-noise
Apr 11, 2026
Merged

chore: remove example/fixture lockfiles from git to reduce Dependabot noise#8334
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/reduce-dependabot-noise

Conversation

@thatmichael85
Copy link
Copy Markdown
Contributor

@thatmichael85 thatmichael85 commented Apr 11, 2026

Summary

Dependabot currently reports 83 open security alerts against this repo. After investigation, none affect shipped library code — they all come from transitive dependencies in:

  • examples/*/pnpm-lock.yaml (18 standalone example apps)
  • scripts/__tests__/integration/fixtures/*/pnpm-lock.yaml (2 test fixtures)
  • Root pnpm-lock.yaml (dev/build tooling)

This PR addresses the first two categories by removing those lockfiles from git tracking.

Changes

  1. Remove 20 pnpm-lock.yaml files from git (18 examples + 2 integration test fixtures)
  2. Add .gitignore rules so they stay untracked going forward
  3. Add .github/dependabot.yml to configure Dependabot version updates for the root workspace only, with GitHub Actions updates on a monthly cadence

What this does NOT break

Concern Why it's safe
update-examples.mjs (post-release) Regenerates lockfiles locally via pnpm --ignore-workspace --no-frozen-lockfile i. Never reads existing lockfiles from git.
Integration tests Use npm install --no-save <tgz> with freshly-built packages. Lockfiles are never referenced.
Post-release workflow (call-post-release.yml) Uses git-auto-commit-action which respects .gitignore. Updated package.json files are still committed; lockfiles are simply skipped.
Users cloning examples pnpm install resolves fresh deps from the pinned versions in package.json. Direct deps (lexical, @lexical/react, etc.) are pinned to exact versions.

Context

These directories are explicitly excluded from the pnpm workspace (pnpm-workspace.yaml):

packages:
  - 'packages/*'
  - '!examples/**/*'
  - '!scripts/__tests__/integration/fixtures/**/*'

The lockfiles existed for convenience but were generating a steady stream of Dependabot alerts (vite, picomatch, lodash, undici, dompurify, node-forge, etc.) that appeared as security issues against the main project despite having zero impact on shipped packages.

Expected impact

This should eliminate ~39 of the 83 current Dependabot alerts (those sourced from example and fixture lockfiles). The remaining ~44 alerts from the root pnpm-lock.yaml are legitimate (though still only dev dependencies) and can be addressed separately.

@thatmichael85
chore: remove example/fixture lockfiles from git to reduce Dependabot…
7af34fa 
… noise

Dependabot generates alerts against this repo for transitive dependencies
in standalone example apps and integration test fixtures — directories
explicitly excluded from the pnpm workspace. None of these alerts affect
shipped library code.

Changes:
- Remove 20 pnpm-lock.yaml files from git tracking (18 examples + 2
  integration test fixtures)
- Add .gitignore rules so they stay untracked going forward
- Add .github/dependabot.yml to configure Dependabot version updates
  for the root workspace only, with GitHub Actions updates monthly

What this does NOT break:
- update-examples.mjs: regenerates lockfiles locally via
  pnpm --ignore-workspace --no-frozen-lockfile i (never reads from git)
- Integration tests: use npm install --no-save with local tgz files
- Post-release workflow: git-auto-commit-action respects .gitignore
- Users cloning examples: pnpm install resolves from pinned versions
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Apr 11, 2026 3:47pm
lexical-playground Ready Ready Preview, Comment Apr 11, 2026 3:47pm

Request Review

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 11, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Apr 11, 2026
@thatmichael85 thatmichael85 added this pull request to the merge queue Apr 11, 2026
Merged via the queue into main with commit d7e49e8 Apr 11, 2026
43 of 44 checks passed
@thatmichael85 thatmichael85 mentioned this pull request Apr 11, 2026
Merged
@etrepum etrepum mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thatmichael85 @etrepum