ci: group Dependabot updates across mirrored packages#867
Merged
Conversation
Last 50 Dependabot PRs: 0 merged, 40 closed without merge, 10 still open. Same dep (e.g. tsdown) recreates 5 near-identical PRs per release across the mirrored npm packages, drowning reviewers and masking real security updates. Address SECURITY-AUDIT.md item #12. Use Dependabot v2 `directories:` (plural) so groups span all six `/packages/*` directories in a single PR. Groups limited to minor+patch to keep majors reviewable individually; security updates bypass groups automatically.
|
Contributor
size-limit report 📦
|
afsalz
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Consolidates Dependabot version-update PRs across the six mirrored
/packages/*directories using v2directories:(plural) plus per-ecosystemgroups.Why now
Across the last 50 Dependabot PRs:
Same dep recreates near-identical PRs per release across mirrored packages — examples from the last ~6 weeks:
tsdown@0.22.0typescript@6.0.3typescript@6.0.2tsdown@0.21.9tsdown@0.21.8tsdown@0.21.7Each round is auto-superseded by the next bump a week later and closed unmerged, so reviewers see churn instead of signal — and real security updates (e.g. #826 postcss, sitting open since 2026-04-29) get lost.
What this changes
updates:entries with a singledirectories:(plural) entry — one grouped PR will now span all six packages.dev-dependenciesandprod-dependencies, both scoped tominor+patchonly.github-actionsgroup covering all action bumps.What stays the same
update-types: ["minor", "patch"]filter excludes majors from the groups — they need individual review./apps/viewerremains out of scope (already covered by security updates today).Package(s) affected
Type of change
Checklist
Notes for reviewer
After merge, Dependabot will recompute its open PR set on the next scheduled run. Existing open PRs (#859–#865, #846, #826, #799) will be auto-closed and replaced by grouped PRs on the next cycle. No manual cleanup required.