ci(dependabot): switch to security-only mode#359
Merged
Conversation
The previous config opened weekly version-update PRs as well as security-update PRs. The first scheduled run after enabling grouping produced 19 PRs, only one of which was a grouped minor/patch bump -- the rest were ungrouped majors (dotenv 16->17 alone produced 12 PRs because it is a top-level dep in every examples/* package.json). Setting open-pull-requests-limit: 0 on each ecosystem block disables version-update PRs while keeping the ecosystem registered so security-update PRs still flow when alerts fire. The security-update grouping rules are preserved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jun 2, 2026
Previous revision of this branch set open-pull-requests-limit: 0 to disable all routine version-update PRs. Per follow-up review we want a single weekly grouped PR per ecosystem covering majors + minors + patches instead -- easier to review at a glance than many small PRs. - Drop open-pull-requests-limit: 0 (let routine PRs flow again) - Add npm-all / pip-all / devcontainers-all / github-actions-all groups matching every package and every update-type (major, minor, patch) -- collapses everything into one PR per ecosystem per weekly run. - Keep the security-updates groups as separate PRs so security work isn't buried in routine churn. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
TalZaccai
changed the title
…osystem" This reverts commit f705855.
TalZaccai
changed the title
The other ecosystem blocks all have an `applies-to: security-updates` group that bundles minor/patch security alerts into a single PR; devcontainers was missing one. Adding it for consistency. In practice the repo has exactly one devcontainer config so there's little to bundle, but this keeps the policy uniform and future-proof if more devcontainer configs are added later. Major-severity security bumps still fall through ungrouped (one PR per advisory) for breaking-change review, matching the other ecosystems. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per rubber-duck review: 1. devcontainers does not support Dependabot security updates (only version updates per the supported-ecosystems matrix), so in security-only mode the block is inert. Drop it entirely; documented the rationale in the file header. 2. update-types: [minor, patch] is a SemVer-level filter, not an advisory severity filter. The earlier comments said "major security bumps fall through ungrouped" which conflated SemVer-major with high/critical severity. A critical CVE patched by a SemVer-patch bump IS grouped; a low CVE requiring a SemVer-major bump is not. Reworded the comments to make that explicit. 3. Added a header note listing the repo-level Settings > Code security toggles this config depends on (Dependency graph, Dependabot alerts, Dependabot security updates, Grouped security updates). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
robgruen
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The first scheduled Dependabot run after enabling grouping produced 19 PRs (#340-#358). Only #340 (npm-development group) was grouped; the rest were ungrouped majors --
dotenv16->17 alone produced 12 PRs because it's a top-level dep in every example'spackage.json. We want zero routine version-update PRs — only security-update PRs.What this does
Sets
open-pull-requests-limit: 0on every ecosystem block. Per GitHub docs this disables routine version-update PRs while keeping the ecosystem registered so security-update PRs still flow when alerts fire. Theapplies-to: security-updatesgrouping rules are preserved.Followup
The 19 noisy PRs (#340-#358) were already closed. The
fix-dependabot-alertsworkflow (#339) handles automated security remediation; routine version updates are not auto-PR'd by this config.