Skip to content

deps: group Dependabot security updates per entry#258

Merged
ksroda-sa merged 1 commit into
mainfrom
deps/group-dependabot-security-updates
Jun 17, 2026
Merged

deps: group Dependabot security updates per entry#258
ksroda-sa merged 1 commit into
mainfrom
deps/group-dependabot-security-updates

Conversation

@ksroda-sa

Copy link
Copy Markdown
Collaborator

What

Adds a security group (applies-to: security-updates) to every ecosystem entry in .github/dependabot.yml, and makes the existing group's applies-to: version-updates explicit.

Why

Version-update groups default to applies-to: version-updates, so vulnerability-alert bumps fell through and each opened its own PR — e.g. #253 (ws) and #254 (tar), both in react-native/login-pkce, which should have been one PR.

Effect

  • Vuln bumps in an entry's directories now collapse into a single PR, mirroring the existing minor-and-patch grouping.
  • No update-types filter on the security group, since a fix may require a major bump.
  • Grouping is still per updates: entry (same boundary as version updates), so a vuln across two frameworks stays as separate PRs.

🤖 Generated with Claude Code

Vulnerability-alert bumps defaulted to one PR each because version-update
groups only apply to version updates.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ksroda-sa ksroda-sa marked this pull request as ready for review June 16, 2026 09:34
@ksroda-sa ksroda-sa requested a review from a team as a code owner June 16, 2026 09:34
Copilot AI review requested due to automatic review settings June 16, 2026 09:34
@ksroda-sa ksroda-sa requested a review from a team as a code owner June 16, 2026 09:34

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s Dependabot configuration to reduce PR noise by ensuring security (vulnerability-alert) updates are grouped per updates: entry, similarly to how minor/patch version updates are already grouped.

Changes:

  • Adds a security group with applies-to: security-updates to each Dependabot updates: entry so security fixes are bundled per entry.
  • Makes the existing minor-and-patch group explicitly applies-to: version-updates across ecosystems.
  • Adds the same security grouping behavior to the github-actions ecosystem entry.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ksroda-sa ksroda-sa merged commit 0615d42 into main Jun 17, 2026
19 checks passed
@ksroda-sa ksroda-sa deleted the deps/group-dependabot-security-updates branch June 17, 2026 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants