chore(dependabot): group routine and security update PRs#319
Merged
Conversation
Add grouping rules to the existing nuget and (new) github-actions ecosystems so that multiple updates in a given run collapse into a single PR, with security-advisory-triggered updates grouped separately so they can be prioritised on their own. Major-version bumps continue to open one PR per package so reviewers have a chance to evaluate them individually (and the existing System.* / Microsoft.Extensions.* / Microsoft.Bcl.* major-version ignore rules remain in effect). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s Dependabot configuration to reduce update PR noise by grouping routine dependency updates and separating security-triggered updates into their own grouped PRs, and it adds Dependabot coverage for the github-actions ecosystem.
Changes:
- Add grouping rules for NuGet updates to combine minor/patch updates into a single PR per run.
- Add a separate NuGet group for security updates via
applies-to: security-updates. - Add a new
github-actionsDependabot ecosystem entry, including grouped routine and security updates.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…r/patch Addresses Copilot review feedback on #319: the nuget-security and both github-actions groups previously matched all version updates, which would collapse major-version bumps into the grouped PR. The PR description (and the comment above the nuget groups) promised major bumps would fall through as one-PR-per-package, but only the routine nuget group enforced that. Adds update-types: [minor, patch] to nuget-security, github-actions, and github-actions-security groups so major bumps remain individual PRs and can be reviewed for breaking-change notes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
TalZaccai
added a commit
to microsoft/TypeChat
that referenced
this pull request
Jun 2, 2026
…/patch Same fix applied to microsoft/typechat.net#319: groups without update-types collapse major-version bumps into the grouped PR, which defeats the goal of keeping majors as one-PR-per-package for breaking-change review. Constrains npm-security, pip-security, devcontainers, github-actions, and github-actions-security groups to [minor, patch]. The npm-production, npm-development, and pip-all groups were already correctly constrained. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
robgruen
approved these changes
Jun 2, 2026
TalZaccai
added a commit
to microsoft/TypeChat
that referenced
this pull request
Jun 2, 2026
* chore(dependabot): add npm/pip ecosystems and group updates The existing dependabot.yml only declared the devcontainers and github-actions ecosystems, leaving npm and pip completely unmanaged. All open security alerts in this repo (currently 9, all under typescript/package-lock.json) target ecosystems Dependabot wasn't watching, so no update PRs have ever been opened for them. This change: * Adds npm coverage for /typescript, /typescript/examples/*, and /site * Adds pip coverage for /python (pyproject.toml) * Adds grouping rules across all ecosystems so multiple alerts in a given run collapse into a single PR (separately for routine version updates vs security-advisory-triggered updates, so security PRs can be prioritised on their own). Major-version bumps continue to open one PR per package so reviewers have a chance to evaluate them individually. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(dependabot): constrain all security & catch-all groups to minor/patch Same fix applied to microsoft/typechat.net#319: groups without update-types collapse major-version bumps into the grouped PR, which defeats the goal of keeping majors as one-PR-per-package for breaking-change review. Constrains npm-security, pip-security, devcontainers, github-actions, and github-actions-security groups to [minor, patch]. The npm-production, npm-development, and pip-all groups were already correctly constrained. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(dependabot): tighten header comment --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Same fix applied to microsoft/TypeChat#338 from @robgruen's review: the default 'To get started...' header was the auto-generated template and no longer describes what's in the file. Replaced with a header that documents the routine/security/major-bump grouping policy this config actually applies. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
TalZaccai
added a commit
that referenced
this pull request
Jun 2, 2026
Resolves conflicts from main commits #314 (Microsoft.Extensions.Configuration.Binder 10.0.1 -> 10.0.2) and #319 (Dependabot grouping config). Conflict resolution: - 3 csproj files (examples/typechat.examplesLib, src/typechat.meai, src/typechat.sk): kept ours (version-less PackageReferences, as required by CPM). - Directory.Packages.props: bumped Microsoft.Extensions.Configuration.Binder PackageVersion from 10.0.1 to 10.0.2 to absorb the #314 change centrally so all consumers pick it up via CPM. - .github/dependabot.yml, OpenAIConfig.cs, integration_tests.yml: merged in cleanly from main without conflict. Validation: - dotnet restore: clean, 0 NU190x warnings - dotnet build /warnaserror: 0 warnings, 0 errors - dotnet test tests/TypeChat.UnitTests: 154/154 passed Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change
Add Dependabot grouping rules to the existing
nugetecosystem (and add coverage forgithub-actions, which wasn't previously declared) so that multiple updates in a given run collapse into a single PR. Routine version updates and security-advisory-triggered updates are grouped separately (viaapplies-to: security-updates) so security PRs can be prioritised on their own.Major-version bumps continue to open one PR per package so reviewers can evaluate them individually, and the existing
System.*/Microsoft.Extensions.*/Microsoft.Bcl.*major-version ignore rules remain in effect.Status
This repo currently has 0 open Dependabot alerts, so this change is preventive — it ensures that when alerts do accumulate, they arrive as a single triagable PR rather than many.