Skip to content

chore(ci): keep playground + docs-website out of the Dependabot npm graph#360

Open
codehippie1 wants to merge 1 commit into
masterfrom
chore/dependabot-exclude-demo-docs
Open

chore(ci): keep playground + docs-website out of the Dependabot npm graph#360
codehippie1 wants to merge 1 commit into
masterfrom
chore/dependabot-exclude-demo-docs

Conversation

@codehippie1

Copy link
Copy Markdown
Contributor

The published library (lib/) ships with 0 runtime dependencies, but the repo also vendors a demo app (playground/) and a Docusaurus docs site (docs-website/) whose dev/build tooling carries the usual stream of advisories. Those surfaced as ~20 Dependabot alerts even though none of them reach users of the npm package.

This adds exclude-paths to the npm entry in .github/dependabot.yml so playground/** and docs-website/** are kept out of the npm dependency-graph build, and therefore out of security alerts. Update PRs were already scoped to /lib.

It also corrects a stale comment: the previous note claimed a Dependabot auto-triage rule suppressed these by manifest path, but auto-triage rules can't match on path — which is why the alerts were still open.

Note: exclude-paths is a newer Dependabot key; if it doesn't fully take effect for npm, the fallback is a one-time bulk-dismiss of the existing demo/docs alerts.

@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
angular-pdf-viewer-demo Ready Ready Preview, Comment Jun 25, 2026 2:29am
angular-pdf-viewer-docs Ready Ready Preview, Comment Jun 25, 2026 2:29am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant