Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
version: 2
updates:
- package-ecosystem: npm

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 bugs: The mcp-server/ directory has its own package.json and package-lock.json outside the npm workspaces (root workspaces are packages/* and frontend). Dependabot's npm entry with directory: / will only scan the root lockfile and won't monitor mcp-server/ dependencies. Add a second npm ecosystem entry with directory: /mcp-server. [fixable]

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 unsafe_assumptions: The npm ecosystem entry uses directory: / which covers the root workspace, but this is an npm workspace monorepo with mcp-server/ having its own package.json outside the workspace config. Dependabot should handle workspace packages under packages/* and frontend/ automatically since they're declared in root workspaces, but mcp-server/ is not a workspace member — consider adding a separate npm entry with directory: /mcp-server so its dependencies also get updates. [fixable]

directory: /
schedule:
interval: weekly
day: monday
groups:

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 style: Consider adding open-pull-requests-limit (default is 5) to control PR volume, and labels (e.g., [dependencies]) for easy filtering. Minor quality-of-life improvement — not blocking. [fixable]

minor-and-patch:

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 style: The npm grouping only covers minor and patch updates. Major version bumps will arrive as individual PRs (one per package), which could be noisy. Consider adding a separate major group or an open-pull-requests-limit to cap PR volume. [fixable]

update-types: [minor, patch]
- package-ecosystem: docker

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 unsafe_assumptions: The docker ecosystem entry monitors Dockerfiles for base image updates, but this repo has no Dockerfile — it only uses pre-built images in docker-compose.yml (Jaeger, Loki, Grafana, MLflow). Dependabot's docker ecosystem won't update docker-compose.yml image tags; it only parses FROM directives in Dockerfiles. This entry is inert and can be removed to avoid confusion. If the intent is to track compose image versions, Dependabot added docker-compose ecosystem support — use package-ecosystem: docker-compose with directory: / instead. [fixable]

directory: /
schedule:
interval: weekly
day: monday
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
Loading