From 292b9cdbd23863f46e25fa7599dcd0a97ede8569 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 21:55:55 -0700 Subject: [PATCH 1/5] ci(dependabot): switch to security-only mode The previous config opened weekly version-update PRs as well as security-update PRs. The first scheduled run after enabling grouping produced 19 PRs, only one of which was a grouped minor/patch bump -- the rest were ungrouped majors (dotenv 16->17 alone produced 12 PRs because it is a top-level dep in every examples/* package.json). Setting open-pull-requests-limit: 0 on each ecosystem block disables version-update PRs while keeping the ecosystem registered so security-update PRs still flow when alerts fire. The security-update grouping rules are preserved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 39 +++++++++++++-------------------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f795def7..1e510f97 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,18 +1,20 @@ # Dependabot configuration for microsoft/TypeChat. # -# Per ecosystem: routine minor/patch updates are grouped into a single -# weekly PR; security updates ship as their own grouped PR; major-version -# bumps fall through ungrouped (one PR per package) for breaking-change -# review. +# Security-only mode: we want Dependabot alerts (security updates) to flow, +# but NOT routine weekly version-update PRs. Setting +# open-pull-requests-limit: 0 on each ecosystem block disables version +# updates while keeping the ecosystem registered so security-update PRs +# can still be opened automatically when an alert fires. +# +# Routine non-security upgrades are handled out-of-band (manually or by +# a separate workflow); this file's role is to keep the security pipe +# unblocked without flooding the repo with churn. # # Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates version: 2 updates: # npm — typescript library + examples + docs site. - # All security alerts in this repo to date have been against - # typescript/package-lock.json, which previously had no ecosystem entry - # here, so Dependabot never opened any update PRs for them. - package-ecosystem: "npm" directories: - "/typescript" @@ -21,18 +23,10 @@ updates: schedule: interval: "weekly" day: "monday" + open-pull-requests-limit: 0 labels: - "dependencies" - # Group routine minor/patch bumps; security updates grouped separately - # so they can be prioritised. Major-version bumps fall through as - # one-PR-per-package so they can be reviewed for breaking changes. groups: - npm-production: - dependency-type: "production" - update-types: ["minor", "patch"] - npm-development: - dependency-type: "development" - update-types: ["minor", "patch"] npm-security: applies-to: security-updates patterns: ["*"] @@ -43,12 +37,10 @@ updates: schedule: interval: "weekly" day: "monday" + open-pull-requests-limit: 0 labels: - "dependencies" groups: - pip-all: - patterns: ["*"] - update-types: ["minor", "patch"] pip-security: applies-to: security-updates patterns: ["*"] @@ -58,19 +50,14 @@ updates: directory: "/" schedule: interval: weekly - groups: - devcontainers: - patterns: ["*"] - update-types: ["minor", "patch"] + open-pull-requests-limit: 0 - package-ecosystem: "github-actions" directory: "/" schedule: interval: weekly + open-pull-requests-limit: 0 groups: - github-actions: - patterns: ["*"] - update-types: ["minor", "patch"] github-actions-security: applies-to: security-updates patterns: ["*"] From f705855c8a25d97b90adb0132681576dc2b0b80f Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 22:00:47 -0700 Subject: [PATCH 2/5] ci(dependabot): bundle all routine updates into one PR per ecosystem Previous revision of this branch set open-pull-requests-limit: 0 to disable all routine version-update PRs. Per follow-up review we want a single weekly grouped PR per ecosystem covering majors + minors + patches instead -- easier to review at a glance than many small PRs. - Drop open-pull-requests-limit: 0 (let routine PRs flow again) - Add npm-all / pip-all / devcontainers-all / github-actions-all groups matching every package and every update-type (major, minor, patch) -- collapses everything into one PR per ecosystem per weekly run. - Keep the security-updates groups as separate PRs so security work isn't buried in routine churn. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 138 ++++++++++++++++++++++------------------- 1 file changed, 74 insertions(+), 64 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1e510f97..f1fa151a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,64 +1,74 @@ -# Dependabot configuration for microsoft/TypeChat. -# -# Security-only mode: we want Dependabot alerts (security updates) to flow, -# but NOT routine weekly version-update PRs. Setting -# open-pull-requests-limit: 0 on each ecosystem block disables version -# updates while keeping the ecosystem registered so security-update PRs -# can still be opened automatically when an alert fires. -# -# Routine non-security upgrades are handled out-of-band (manually or by -# a separate workflow); this file's role is to keep the security pipe -# unblocked without flooding the repo with churn. -# -# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - -version: 2 -updates: - # npm — typescript library + examples + docs site. - - package-ecosystem: "npm" - directories: - - "/typescript" - - "/typescript/examples/*" - - "/site" - schedule: - interval: "weekly" - day: "monday" - open-pull-requests-limit: 0 - labels: - - "dependencies" - groups: - npm-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] - - - package-ecosystem: "pip" - directory: "/python" - schedule: - interval: "weekly" - day: "monday" - open-pull-requests-limit: 0 - labels: - - "dependencies" - groups: - pip-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] - - - package-ecosystem: "devcontainers" - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 0 - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 0 - groups: - github-actions-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] +# Dependabot configuration for microsoft/TypeChat. +# +# Single-PR-per-ecosystem mode: every routine version bump (major, minor, +# patch) is bundled into ONE grouped PR per ecosystem per weekly run. +# Security updates ship as their own grouped PR so they aren't buried +# under routine churn. +# +# Tradeoff: one large PR is easier to review at a glance than many small +# ones, but if it fails CI the cause is harder to bisect because the +# compounded breaking changes (e.g. dotenv 16->17 + sqlite3 5->6) all +# land at once. If a routine PR keeps failing, drop the offending +# package(s) from the PR's commit list and let it land without them. +# +# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + # npm — typescript library + examples + docs site. + - package-ecosystem: "npm" + directories: + - "/typescript" + - "/typescript/examples/*" + - "/site" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" + groups: + npm-all: + patterns: ["*"] + update-types: ["major", "minor", "patch"] + npm-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] + + - package-ecosystem: "pip" + directory: "/python" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" + groups: + pip-all: + patterns: ["*"] + update-types: ["major", "minor", "patch"] + pip-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] + + - package-ecosystem: "devcontainers" + directory: "/" + schedule: + interval: weekly + groups: + devcontainers-all: + patterns: ["*"] + update-types: ["major", "minor", "patch"] + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: weekly + groups: + github-actions-all: + patterns: ["*"] + update-types: ["major", "minor", "patch"] + github-actions-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] From c6ad6087284ebe9b45b274dfbda86cafffd4b72b Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 22:02:09 -0700 Subject: [PATCH 3/5] Revert "ci(dependabot): bundle all routine updates into one PR per ecosystem" This reverts commit f705855c8a25d97b90adb0132681576dc2b0b80f. --- .github/dependabot.yml | 138 +++++++++++++++++++---------------------- 1 file changed, 64 insertions(+), 74 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f1fa151a..1e510f97 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,74 +1,64 @@ -# Dependabot configuration for microsoft/TypeChat. -# -# Single-PR-per-ecosystem mode: every routine version bump (major, minor, -# patch) is bundled into ONE grouped PR per ecosystem per weekly run. -# Security updates ship as their own grouped PR so they aren't buried -# under routine churn. -# -# Tradeoff: one large PR is easier to review at a glance than many small -# ones, but if it fails CI the cause is harder to bisect because the -# compounded breaking changes (e.g. dotenv 16->17 + sqlite3 5->6) all -# land at once. If a routine PR keeps failing, drop the offending -# package(s) from the PR's commit list and let it land without them. -# -# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - -version: 2 -updates: - # npm — typescript library + examples + docs site. - - package-ecosystem: "npm" - directories: - - "/typescript" - - "/typescript/examples/*" - - "/site" - schedule: - interval: "weekly" - day: "monday" - labels: - - "dependencies" - groups: - npm-all: - patterns: ["*"] - update-types: ["major", "minor", "patch"] - npm-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] - - - package-ecosystem: "pip" - directory: "/python" - schedule: - interval: "weekly" - day: "monday" - labels: - - "dependencies" - groups: - pip-all: - patterns: ["*"] - update-types: ["major", "minor", "patch"] - pip-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] - - - package-ecosystem: "devcontainers" - directory: "/" - schedule: - interval: weekly - groups: - devcontainers-all: - patterns: ["*"] - update-types: ["major", "minor", "patch"] - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: weekly - groups: - github-actions-all: - patterns: ["*"] - update-types: ["major", "minor", "patch"] - github-actions-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] +# Dependabot configuration for microsoft/TypeChat. +# +# Security-only mode: we want Dependabot alerts (security updates) to flow, +# but NOT routine weekly version-update PRs. Setting +# open-pull-requests-limit: 0 on each ecosystem block disables version +# updates while keeping the ecosystem registered so security-update PRs +# can still be opened automatically when an alert fires. +# +# Routine non-security upgrades are handled out-of-band (manually or by +# a separate workflow); this file's role is to keep the security pipe +# unblocked without flooding the repo with churn. +# +# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + # npm — typescript library + examples + docs site. + - package-ecosystem: "npm" + directories: + - "/typescript" + - "/typescript/examples/*" + - "/site" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 0 + labels: + - "dependencies" + groups: + npm-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] + + - package-ecosystem: "pip" + directory: "/python" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 0 + labels: + - "dependencies" + groups: + pip-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] + + - package-ecosystem: "devcontainers" + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 0 + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 0 + groups: + github-actions-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] From d11bdc63a31c05ae08494cf9ecbd4c222937f487 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 22:03:41 -0700 Subject: [PATCH 4/5] ci(dependabot): add devcontainers security-update group The other ecosystem blocks all have an `applies-to: security-updates` group that bundles minor/patch security alerts into a single PR; devcontainers was missing one. Adding it for consistency. In practice the repo has exactly one devcontainer config so there's little to bundle, but this keeps the policy uniform and future-proof if more devcontainer configs are added later. Major-severity security bumps still fall through ungrouped (one PR per advisory) for breaking-change review, matching the other ecosystems. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1e510f97..511a6043 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -51,6 +51,11 @@ updates: schedule: interval: weekly open-pull-requests-limit: 0 + groups: + devcontainers-security: + applies-to: security-updates + patterns: ["*"] + update-types: ["minor", "patch"] - package-ecosystem: "github-actions" directory: "/" From d98161989f66e6571a94757615eb0d13d08ce4d3 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 22:15:03 -0700 Subject: [PATCH 5/5] ci(dependabot): drop devcontainers block, clarify SemVer wording Per rubber-duck review: 1. devcontainers does not support Dependabot security updates (only version updates per the supported-ecosystems matrix), so in security-only mode the block is inert. Drop it entirely; documented the rationale in the file header. 2. update-types: [minor, patch] is a SemVer-level filter, not an advisory severity filter. The earlier comments said "major security bumps fall through ungrouped" which conflated SemVer-major with high/critical severity. A critical CVE patched by a SemVer-patch bump IS grouped; a low CVE requiring a SemVer-major bump is not. Reworded the comments to make that explicit. 3. Added a header note listing the repo-level Settings > Code security toggles this config depends on (Dependency graph, Dependabot alerts, Dependabot security updates, Grouped security updates). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 511a6043..43799bb7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,12 +4,24 @@ # but NOT routine weekly version-update PRs. Setting # open-pull-requests-limit: 0 on each ecosystem block disables version # updates while keeping the ecosystem registered so security-update PRs -# can still be opened automatically when an alert fires. +# can still be opened automatically when an alert fires. (Security +# updates have a separate, fixed limit of 10 that is unaffected by +# open-pull-requests-limit.) # # Routine non-security upgrades are handled out-of-band (manually or by # a separate workflow); this file's role is to keep the security pipe # unblocked without flooding the repo with churn. # +# Note: devcontainers is intentionally absent -- Dependabot does not +# support security updates for that ecosystem (only version updates), +# so a security-only config has nothing to declare for it. +# +# Repo-level prerequisites (Settings > Code security): +# - Dependency graph: enabled +# - Dependabot alerts: enabled +# - Dependabot security updates: enabled +# - Grouped security updates: enabled +# # Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates version: 2 @@ -26,6 +38,12 @@ updates: open-pull-requests-limit: 0 labels: - "dependencies" + # Group SemVer minor/patch security alerts so multiple simultaneous + # advisories in this ecosystem bundle into a single PR. SemVer-major + # security bumps fall through to Dependabot's normal ungrouped + # behavior so they can be reviewed individually for breaking changes + # (independent of advisory severity — this is purely a SemVer-level + # filter). groups: npm-security: applies-to: security-updates @@ -46,17 +64,6 @@ updates: patterns: ["*"] update-types: ["minor", "patch"] - - package-ecosystem: "devcontainers" - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 0 - groups: - devcontainers-security: - applies-to: security-updates - patterns: ["*"] - update-types: ["minor", "patch"] - - package-ecosystem: "github-actions" directory: "/" schedule: