chore(ci): keep playground + docs-website out of the Dependabot npm graph#360
Open
codehippie1 wants to merge 1 commit into
Open
chore(ci): keep playground + docs-website out of the Dependabot npm graph#360codehippie1 wants to merge 1 commit into
codehippie1 wants to merge 1 commit into
Conversation
…h via exclude-paths
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The published library (
lib/) ships with 0 runtime dependencies, but the repo also vendors a demo app (playground/) and a Docusaurus docs site (docs-website/) whose dev/build tooling carries the usual stream of advisories. Those surfaced as ~20 Dependabot alerts even though none of them reach users of the npm package.This adds
exclude-pathsto the npm entry in.github/dependabot.ymlsoplayground/**anddocs-website/**are kept out of the npm dependency-graph build, and therefore out of security alerts. Update PRs were already scoped to/lib.It also corrects a stale comment: the previous note claimed a Dependabot auto-triage rule suppressed these by manifest path, but auto-triage rules can't match on path — which is why the alerts were still open.
Note:
exclude-pathsis a newer Dependabot key; if it doesn't fully take effect for npm, the fallback is a one-time bulk-dismiss of the existing demo/docs alerts.