Skip to content

Commit 4e44b05

Browse files
cailmdaleyclaude
andcommitted
chore(deps): group Dependabot security updates to cut PR noise
Security-updates (GHSA-driven) bypass grouping by default, so each advisory opens its own PR — four landed the same day (cryptography, tornado, bleach, jupyter-server). Add an `applies-to: security-updates` group per ecosystem so a burst of advisories batches into a single PR instead of one per package. The existing version-update groups now carry an explicit `applies-to: version-updates`, required once a second group exists in the block. Security PRs stay advisory-timed: cooldown and the monthly schedule apply only to version-updates, by design — grouping only collapses the count, it does not delay or auto-merge CVE fixes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 3eca0f0 commit 4e44b05

1 file changed

Lines changed: 16 additions & 3 deletions

File tree

.github/dependabot.yml

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,17 @@
1818
# atomic to revert, large enough to actually be reviewed.
1919
# - Major bumps stay as individual PRs (potentially breaking; each
2020
# deserves its own review).
21+
# - Security updates are grouped too (one batched PR per ecosystem) so a
22+
# same-day burst of advisories arrives as a single PR, not one per package.
2123
# - No auto-merge anywhere. Lockfile diffs are uninspectable; we eyeball
2224
# the version metadata and source links before merging.
2325
#
24-
# Note: cooldown does NOT apply to security-updates (the GHSA-driven PRs).
25-
# Those still fire on the CVE-publication timeline, which is the right
26-
# tradeoff for shapepipe — fix CVEs fast, but don't auto-merge them either.
26+
# Note: cooldown and the monthly schedule do NOT apply to security-updates
27+
# (the GHSA-driven PRs) — only to version-updates. Security PRs still fire on
28+
# the CVE-publication timeline, which is the right tradeoff for shapepipe (fix
29+
# CVEs fast). The `applies-to: security-updates` groups below don't change that
30+
# timing; they only collapse a burst into one PR. Each `groups` block needs an
31+
# explicit `applies-to`, hence the paired version/security groups per ecosystem.
2732

2833
version: 2
2934

@@ -39,8 +44,12 @@ updates:
3944
semver-major-days: 30
4045
groups:
4146
lockfile-minor-patch:
47+
applies-to: version-updates
4248
patterns: ["*"]
4349
update-types: ["minor", "patch"]
50+
lockfile-security:
51+
applies-to: security-updates
52+
patterns: ["*"]
4453
open-pull-requests-limit: 3
4554
labels:
4655
- "dependencies"
@@ -55,6 +64,10 @@ updates:
5564
default-days: 14
5665
groups:
5766
actions:
67+
applies-to: version-updates
68+
patterns: ["*"]
69+
actions-security:
70+
applies-to: security-updates
5871
patterns: ["*"]
5972
open-pull-requests-limit: 2
6073
labels:

0 commit comments

Comments
 (0)