Skip to content

Commit 050aa3a

Browse files
committed
chore(deps): tighten dependabot policy — block majors + lock lint plugins
Adapted from common large-org practice for taming dependabot noise. Two policy layers, applied to every npm ecosystem (root, packages/core, packages/mantine, and the github-actions block): 1. Global semver-major block. Major bumps need hands-on evaluation — breaking changes, peer-dep ripples, migration cost. They never auto-PR; bump manually when time permits. (Already saw this with @Mantine 9.x x4 + TypeScript 6.0 in last week's batch.) 2. Lint / typecheck plugin minor lock — applied to: - eslint - eslint-plugin-* - @typescript-eslint/* - typescript-eslint - typescript These tools routinely add new rules on minor bumps that flag previously-passing code. ESLint's own SemVer policy explicitly says "rule improvements → more errors → minor". Locking auto-PRs to patch keeps CI green; we'll bump minors manually when ready to address new violations. The trigger was eslint-plugin-react-hooks 7.0.1 → 7.1.0 (April 2026), which improved set-state-in-effect / ref-during-render detection and made the compiler report all errors instead of stopping at the first. 20+ new diagnostics surfaced in our MarkdownContent block-memo code, where render-time ref reads are by design for cache lookup. Dependabot will re-generate the dev-deps batch shortly without react-hooks 7.x minors. PR #12 closed as superseded by this policy.
1 parent ea1aa2d commit 050aa3a

1 file changed

Lines changed: 77 additions & 2 deletions

File tree

.github/dependabot.yml

Lines changed: 77 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,19 @@
11
version: 2
2+
3+
# Shared ignore policy (copied verbatim across the three npm ecosystems
4+
# because dependabot.yml does not support YAML anchors at the top level).
5+
#
6+
# - Major bumps across the dependency graph: blocked. Breaking changes,
7+
# peer-dep ripples, and migration cost need hands-on evaluation; we
8+
# bump majors manually.
9+
# - Lint / typecheck plugins (eslint, eslint-plugin-*, @typescript-eslint,
10+
# typescript itself): minors blocked. These tools routinely add new
11+
# rules on minor bumps that flag previously-passing code; locking to
12+
# patch keeps CI green. We'll bump minors manually when we have time
13+
# to address new violations. (See eslint-plugin-react-hooks 7.0→7.1,
14+
# April 2026, which broke MarkdownContent.tsx with 20+ new ref/effect
15+
# diagnostics — none of which were API changes.)
16+
217
updates:
318
# npm dependencies in the monorepo root (devDeps: storybook, vitest, eslint, etc.)
419
- package-ecosystem: npm
@@ -11,8 +26,26 @@ updates:
1126
open-pull-requests-limit: 5
1227
labels:
1328
- dependencies
29+
ignore:
30+
- dependency-name: '*'
31+
update-types:
32+
- version-update:semver-major
33+
- dependency-name: 'eslint'
34+
update-types:
35+
- version-update:semver-minor
36+
- dependency-name: 'eslint-plugin-*'
37+
update-types:
38+
- version-update:semver-minor
39+
- dependency-name: '@typescript-eslint/*'
40+
update-types:
41+
- version-update:semver-minor
42+
- dependency-name: 'typescript-eslint'
43+
update-types:
44+
- version-update:semver-minor
45+
- dependency-name: 'typescript'
46+
update-types:
47+
- version-update:semver-minor
1448
groups:
15-
# Group all minor / patch dev-deps into one PR per week
1649
dev-deps:
1750
dependency-type: development
1851
update-types:
@@ -31,6 +64,25 @@ updates:
3164
labels:
3265
- dependencies
3366
- 'scope:core'
67+
ignore:
68+
- dependency-name: '*'
69+
update-types:
70+
- version-update:semver-major
71+
- dependency-name: 'eslint'
72+
update-types:
73+
- version-update:semver-minor
74+
- dependency-name: 'eslint-plugin-*'
75+
update-types:
76+
- version-update:semver-minor
77+
- dependency-name: '@typescript-eslint/*'
78+
update-types:
79+
- version-update:semver-minor
80+
- dependency-name: 'typescript-eslint'
81+
update-types:
82+
- version-update:semver-minor
83+
- dependency-name: 'typescript'
84+
update-types:
85+
- version-update:semver-minor
3486
groups:
3587
runtime-deps:
3688
dependency-type: production
@@ -50,18 +102,41 @@ updates:
50102
labels:
51103
- dependencies
52104
- 'scope:mantine'
105+
ignore:
106+
- dependency-name: '*'
107+
update-types:
108+
- version-update:semver-major
109+
- dependency-name: 'eslint'
110+
update-types:
111+
- version-update:semver-minor
112+
- dependency-name: 'eslint-plugin-*'
113+
update-types:
114+
- version-update:semver-minor
115+
- dependency-name: '@typescript-eslint/*'
116+
update-types:
117+
- version-update:semver-minor
118+
- dependency-name: 'typescript-eslint'
119+
update-types:
120+
- version-update:semver-minor
121+
- dependency-name: 'typescript'
122+
update-types:
123+
- version-update:semver-minor
53124
groups:
54125
runtime-deps:
55126
dependency-type: production
56127
update-types:
57128
- minor
58129
- patch
59130

60-
# GitHub Actions used in workflows
131+
# GitHub Actions used in workflows — major-block only; no lint-plugin lock needed.
61132
- package-ecosystem: github-actions
62133
directory: /
63134
schedule:
64135
interval: monthly
65136
labels:
66137
- dependencies
67138
- 'scope:ci'
139+
ignore:
140+
- dependency-name: '*'
141+
update-types:
142+
- version-update:semver-major

0 commit comments

Comments
 (0)