Commit 4e44b05
chore(deps): group Dependabot security updates to cut PR noise
Security-updates (GHSA-driven) bypass grouping by default, so each
advisory opens its own PR — four landed the same day (cryptography,
tornado, bleach, jupyter-server). Add an `applies-to: security-updates`
group per ecosystem so a burst of advisories batches into a single PR
instead of one per package. The existing version-update groups now carry
an explicit `applies-to: version-updates`, required once a second group
exists in the block.
Security PRs stay advisory-timed: cooldown and the monthly schedule
apply only to version-updates, by design — grouping only collapses the
count, it does not delay or auto-merge CVE fixes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent 3eca0f0 commit 4e44b05
1 file changed
Lines changed: 16 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| 21 | + | |
| 22 | + | |
21 | 23 | | |
22 | 24 | | |
23 | 25 | | |
24 | | - | |
25 | | - | |
26 | | - | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
27 | 32 | | |
28 | 33 | | |
29 | 34 | | |
| |||
39 | 44 | | |
40 | 45 | | |
41 | 46 | | |
| 47 | + | |
42 | 48 | | |
43 | 49 | | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
44 | 53 | | |
45 | 54 | | |
46 | 55 | | |
| |||
55 | 64 | | |
56 | 65 | | |
57 | 66 | | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
58 | 71 | | |
59 | 72 | | |
60 | 73 | | |
| |||
0 commit comments