chore(deps): batch Dependabot bumps into a weekly grouped PR#3259
Open
anegg0 wants to merge 2 commits into
Open
chore(deps): batch Dependabot bumps into a weekly grouped PR#3259anegg0 wants to merge 2 commits into
anegg0 wants to merge 2 commits into
Conversation
Switches from daily individual bumps (which produced 5+ stale open PRs at a time) to monthly grouping for minor/patch version updates. Major bumps still open individually as a review checkpoint. Critical security PRs continue to fire immediately via the separate Dependabot security-updates feature.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Shortens the patch-window for upstream-fixed-but-unflagged vulnerabilities from ~30 days to ~7 days while preserving the grouping benefits.
anegg0
changed the title
anegg0
requested review from
dkutzmarks-rgb and
douglance
and removed request for
douglance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches Dependabot version updates from
daily(one PR per dep, every day) toweeklywith grouping, so non-critical bumps consolidate into a single PR per cycle.What changes
daily→weeklynpm-minor-and-patch. Major bumps still open individually for breaking-change review.open-pull-requests-limit: 5(was unset/default-5).chore(deps): ...with scope.Critical security PRs are unaffected
Dependabot's security updates feature is separate from version updates and ignores the schedule. When a GHSA advisory matches a current dependency, Dependabot opens an individual PR immediately, regardless of this config.
This requires Settings → Code security & analysis → Dependabot security updates to be on (verify before merging this PR).
Why weekly (not monthly)
Weekly limits the gap for upstream patches that fix vulnerabilities before a GHSA advisory is published (or that are never formally tracked). ~7-day blind spot vs ~30 days, while keeping the same review-overhead benefits as monthly grouping.
Why
Recent state was 5+ stale open Dependabot PRs (#3221, #3248, #3250, #3251, #3257) accumulated over weeks, all individual yarn.lock churn. Weekly grouping cuts review overhead while keeping criticals fast-tracked through the security-updates path.
Test plan
@dependabot recreateto trigger sooner).🤖 Generated with Claude Code