You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add .github/dependabot.yml so Dependabot opens weekly PRs to bump our dependencies. Currently we have security alerts on but no automated version-update PRs — meaning GitHub will tell us about CVEs but won't help us stay current ahead of them.
CVE prevention beats CVE response — security alerts catch known vulns reactively; version bumps reduce the window where we're sitting on outdated code.
Low cost, high signal — Dependabot PRs land already-CI'd; merging is usually one click. The infrastructure pays back almost immediately.
Multi-ecosystem repo — we have three update channels (pip, github-actions, docker) and none of them are tracked today.
Current state
.github/dependabot.yml — does not exist
Security alerts (CVE notifications) — enabled (verified via GET /repos/.../vulnerability-alerts → 204)
docker — package-ecosystem: docker, directory: /, weekly schedule. Catches base-image updates on the Dockerfile.
Configuration choices
Schedule — interval: weekly (daily is noisy for low-traffic dep ecosystems; monthly drifts too far between checks)
Grouping — group minor and patch updates into one PR per ecosystem to reduce PR volume; let major bumps land as individual PRs since they're more likely to need code changes
Commit message prefix — match conventional-commits format so Set up release-please for automated versioning and CHANGELOG generation #86's release-please doesn't choke on Dependabot's PRs. prefix: "chore" with prefix-development: "chore" produces messages like chore(deps): bump foo from 1.0 to 1.1 — clean.
Open-PR limit — open-pull-requests-limit: 10 per ecosystem (default 5) — generous but bounded
Labels — auto-label Dependabot PRs with dependencies (create the label if it doesn't exist)
Reviewers / assignees — TBD; can start without auto-assignment and add later if the PRs need triaging
Documentation
One-line mention in README's Development section noting deps are auto-updated weekly
Acceptance criteria
.github/dependabot.yml exists, valid YAML, lints in GitHub's UI (badge under repo Insights → Dependency Graph → Dependabot)
Within a week of merge, Dependabot has opened at least one PR (or confirmed nothing needs updating, visible in the Dependabot tab)
Dependabot PR commit messages use the conventional-commits format — verified by inspecting an opened PR
Existing CI (ci.yml) runs against Dependabot PRs without auth/secret issues
Out of scope
Auto-merge of Dependabot PRs — possible later (e.g. via a separate workflow that merges patch-level updates after CI green), but a manual-review default is safer for a pre-1.0 project
npm / other ecosystems — we don't have those yet; revisit if/when a JS bundle lands
Renovate — alternative to Dependabot with more knobs; not worth the migration cost given Dependabot is built into GitHub and covers our needs
Description
Add
.github/dependabot.ymlso Dependabot opens weekly PRs to bump our dependencies. Currently we have security alerts on but no automated version-update PRs — meaning GitHub will tell us about CVEs but won't help us stay current ahead of them.Why
pip,github-actions,docker) and none of them are tracked today.Current state
.github/dependabot.yml— does not existGET /repos/.../vulnerability-alerts→ 204).github/workflows/ci.yml,conventional-commits.yml(withrelease-please.ymlto come from Set up release-please for automated versioning and CHANGELOG generation #86)Scope
.github/dependabot.ymlpackage-ecosystem: pip,directory: /, weekly schedule. Source-of-truth for Python deps ispyproject.toml.package-ecosystem: github-actions,directory: /, weekly schedule. Keeps action versions (actions/checkout@vX,actions/setup-python@vX, etc.) current.package-ecosystem: docker,directory: /, weekly schedule. Catches base-image updates on theDockerfile.Configuration choices
interval: weekly(daily is noisy for low-traffic dep ecosystems; monthly drifts too far between checks)minorandpatchupdates into one PR per ecosystem to reduce PR volume; letmajorbumps land as individual PRs since they're more likely to need code changesprefix: "chore"withprefix-development: "chore"produces messages likechore(deps): bump foo from 1.0 to 1.1— clean.open-pull-requests-limit: 10per ecosystem (default 5) — generous but boundeddependencies(create the label if it doesn't exist)Documentation
Acceptance criteria
.github/dependabot.ymlexists, valid YAML, lints in GitHub's UI (badge under repo Insights → Dependency Graph → Dependabot)ci.yml) runs against Dependabot PRs without auth/secret issuesOut of scope
References
— Claude