diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f795def7..43799bb7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,18 +1,32 @@ # Dependabot configuration for microsoft/TypeChat. # -# Per ecosystem: routine minor/patch updates are grouped into a single -# weekly PR; security updates ship as their own grouped PR; major-version -# bumps fall through ungrouped (one PR per package) for breaking-change -# review. +# Security-only mode: we want Dependabot alerts (security updates) to flow, +# but NOT routine weekly version-update PRs. Setting +# open-pull-requests-limit: 0 on each ecosystem block disables version +# updates while keeping the ecosystem registered so security-update PRs +# can still be opened automatically when an alert fires. (Security +# updates have a separate, fixed limit of 10 that is unaffected by +# open-pull-requests-limit.) +# +# Routine non-security upgrades are handled out-of-band (manually or by +# a separate workflow); this file's role is to keep the security pipe +# unblocked without flooding the repo with churn. +# +# Note: devcontainers is intentionally absent -- Dependabot does not +# support security updates for that ecosystem (only version updates), +# so a security-only config has nothing to declare for it. +# +# Repo-level prerequisites (Settings > Code security): +# - Dependency graph: enabled +# - Dependabot alerts: enabled +# - Dependabot security updates: enabled +# - Grouped security updates: enabled # # Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates version: 2 updates: # npm — typescript library + examples + docs site. - # All security alerts in this repo to date have been against - # typescript/package-lock.json, which previously had no ecosystem entry - # here, so Dependabot never opened any update PRs for them. - package-ecosystem: "npm" directories: - "/typescript" @@ -21,18 +35,16 @@ updates: schedule: interval: "weekly" day: "monday" + open-pull-requests-limit: 0 labels: - "dependencies" - # Group routine minor/patch bumps; security updates grouped separately - # so they can be prioritised. Major-version bumps fall through as - # one-PR-per-package so they can be reviewed for breaking changes. + # Group SemVer minor/patch security alerts so multiple simultaneous + # advisories in this ecosystem bundle into a single PR. SemVer-major + # security bumps fall through to Dependabot's normal ungrouped + # behavior so they can be reviewed individually for breaking changes + # (independent of advisory severity — this is purely a SemVer-level + # filter). groups: - npm-production: - dependency-type: "production" - update-types: ["minor", "patch"] - npm-development: - dependency-type: "development" - update-types: ["minor", "patch"] npm-security: applies-to: security-updates patterns: ["*"] @@ -43,34 +55,21 @@ updates: schedule: interval: "weekly" day: "monday" + open-pull-requests-limit: 0 labels: - "dependencies" groups: - pip-all: - patterns: ["*"] - update-types: ["minor", "patch"] pip-security: applies-to: security-updates patterns: ["*"] update-types: ["minor", "patch"] - - package-ecosystem: "devcontainers" - directory: "/" - schedule: - interval: weekly - groups: - devcontainers: - patterns: ["*"] - update-types: ["minor", "patch"] - - package-ecosystem: "github-actions" directory: "/" schedule: interval: weekly + open-pull-requests-limit: 0 groups: - github-actions: - patterns: ["*"] - update-types: ["minor", "patch"] github-actions-security: applies-to: security-updates patterns: ["*"]