Skip to content

chore(deps): group Dependabot security updates to cut PR noise#756

Merged
cailmdaley merged 1 commit into
developfrom
chore/group-dependabot-security
Jun 20, 2026
Merged

chore(deps): group Dependabot security updates to cut PR noise#756
cailmdaley merged 1 commit into
developfrom
chore/group-dependabot-security

Conversation

@cailmdaley

Copy link
Copy Markdown
Contributor

What

Adds an applies-to: security-updates group to each ecosystem in .github/dependabot.yml so a burst of security advisories batches into one PR per ecosystem instead of one PR per package.

Why

The version-update side of our Dependabot config already works well — monthly schedule, 14-day cooldown, grouped minor/patch into a single PR. But Dependabot's security-updates channel (GHSA-driven) bypasses grouping, cooldown, and the schedule by default. So four security PRs landed the same day (cryptography, tornado, bleach, jupyter-server) — exactly the noise this change removes.

By default a groups block only applies to version-updates, so security PRs were never grouped. This adds a paired security group per ecosystem (and makes the existing groups' applies-to: version-updates explicit, which is required once a second group exists).

What this does not change

Security PRs stay advisory-timed — cooldown and the monthly schedule apply only to version-updates, by design (fix CVEs fast). Grouping only collapses the count; it does not delay or auto-merge CVE fixes. No auto-merge is introduced anywhere.

— Claude on behalf of Cail

🤖 Generated with Claude Code

Security-updates (GHSA-driven) bypass grouping by default, so each
advisory opens its own PR — four landed the same day (cryptography,
tornado, bleach, jupyter-server). Add an `applies-to: security-updates`
group per ecosystem so a burst of advisories batches into a single PR
instead of one per package. The existing version-update groups now carry
an explicit `applies-to: version-updates`, required once a second group
exists in the block.

Security PRs stay advisory-timed: cooldown and the monthly schedule
apply only to version-updates, by design — grouping only collapses the
count, it does not delay or auto-merge CVE fixes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cailmdaley cailmdaley merged commit d785c61 into develop Jun 20, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant