fix: stabilize Dependabot — restore missing package.json, add dependabot.yml, regenerate lockfiles#815
Merged
Merged
Conversation
…ightening npm update scope Agent-Logs-Url: https://github.com/jonobr1/two.js/sessions/cf6e28e3-9973-47b4-8806-5a4c9c7c5ee4 Co-authored-by: jonobr1 <220033+jonobr1@users.noreply.github.com>
Agent-Logs-Url: https://github.com/jonobr1/two.js/sessions/6e86b4bd-5c7f-40c3-8f01-e95d525e29c6 Co-authored-by: jonobr1 <220033+jonobr1@users.noreply.github.com>
…ackage.json, regenerate lockfiles, remove package-lock=false Agent-Logs-Url: https://github.com/jonobr1/two.js/sessions/6e86b4bd-5c7f-40c3-8f01-e95d525e29c6 Co-authored-by: jonobr1 <220033+jonobr1@users.noreply.github.com>
Agent-Logs-Url: https://github.com/jonobr1/two.js/sessions/6e86b4bd-5c7f-40c3-8f01-e95d525e29c6 Co-authored-by: jonobr1 <220033+jonobr1@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
jonobr1
April 23, 2026 05:50
View session
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 0 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes. Give us feedback
jonobr1
approved these changes
Apr 24, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Stabilizes Dependabot runs by making npm dependency sources explicit, restoring missing manifests, regenerating lockfiles, and adding CI guardrails to prevent future dependency-file regressions.
Changes:
- Added explicit
.github/dependabot.ymlconfiguration for/,/tests/types,/tests/typescript, plus GitHub Actions updates. - Restored
tests/types/package.jsonand regenerated/added npm lockfiles for test packages (and updated other lockfile metadata). - Removed
.npmrcthat disabled lockfile updates, un-ignoredtests/typescript/package-lock.json, and added a CI job to assertpackage.json/package-lock.jsonpairs exist.
Reviewed changes
Copilot reviewed 6 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/dependabot.yml |
Explicit Dependabot configuration for npm workspaces and GitHub Actions to avoid fragile auto-detection. |
.github/workflows/lint.yml |
Adds a CI job to verify each Dependabot-managed npm directory has both manifest + lockfile. |
tests/types/package.json |
Restores missing npm manifest for the types test directory. |
tests/types/package-lock.json |
Regenerated lockfile for tests/types (lockfile v3, updated local package metadata). |
tests/typescript/package-lock.json |
Adds a committed lockfile for tests/typescript so Dependabot can see the dependency tree. |
.gitignore |
Stops ignoring tests/typescript/package-lock.json so it can be committed/managed. |
.npmrc |
Removes config that prevented lockfile generation/updates. |
build/two.js |
Updates generated build output (PublishDate and related identifier renames). |
build/two.module.js |
Updates generated build output (PublishDate and related identifier renames). |
Files not reviewed (2)
- tests/types/package-lock.json: Language not supported
- tests/typescript/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Delete the scripts section that defined the "test" script ("jest") from tests/types/package.json. The updated file also no longer has a trailing newline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All Dependabot runs were failing due to a combination of three independent root causes found in CI logs.
Root causes
dependency_file_not_foundfor/tests/types— directory had apackage-lock.jsonbut nopackage.json; Dependabot auto-detected it via lockfile scan and then crashed on the missing manifestsecurity_update_dependency_not_foundon root —.npmrccontainedpackage-lock = false, silently preventing lockfile updates; the committedpackage-lock.jsonwas stuck at lockfileVersion 1, too old for Dependabot's security resolution logictests/typescriptdep tree invisible to Dependabot — itspackage-lock.jsonwas explicitly gitignoredChanges
.github/dependabot.yml— added explicit config targeting/,/tests/types,/tests/typescript(npm) and/(github-actions) with weekly schedule and grouped PRs; replaces fragile auto-detectiontests/types/package.json— restored the missing manifest reconstructed from the existing lockfile's embedded metadata.npmrcremoved — sole content waspackage-lock = false; contradicted the checked-in lockfile and brokenpm audit fixpackage-lock.jsonupgraded from lockfileVersion 1 → 3;tests/typeslockfile regenerated;tests/typescriptlockfile generated and unignoredcheck-dependency-filesjob inlint.yml) — fails if any Dependabot-managed npm directory is missing itspackage.jsonorpackage-lock.json, preventing this class of regression