From 4b3f68cfa5f9ba744f387beca982036b3623e354 Mon Sep 17 00:00:00 2001 From: Melissa Liu Date: Tue, 16 Jun 2026 02:28:38 -0400 Subject: [PATCH] [ci] add dependabot config to group updates into single PRs Adds .github/dependabot.yml so Dependabot bundles all updates for an ecosystem into one grouped PR instead of one PR per dependency: - npm (root + packages/** + examples/**): all updates -> one PR - github-actions: all updates -> one PR Reduces the one-PR-per-dependency noise. Note: severity filtering (critical-only) is set separately via repo Dependabot auto-triage rules; it cannot be expressed in dependabot.yml. --- .github/dependabot.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..d1b343daa --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,36 @@ +# Dependabot configuration +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +# +# `groups` bundles all updates for an ecosystem into a SINGLE pull request +# instead of one PR per dependency. This applies to both version updates and +# (when "Grouped security updates" is enabled in repo settings) security +# updates. +# +# NOTE: severity filtering (e.g. "only critical") is NOT configurable here — +# it is set via repo Settings > Code security > Dependabot auto-triage rules. +version: 2 +updates: + # JavaScript/TypeScript dependencies across the monorepo (root + workspaces). + - package-ecosystem: 'npm' + directories: + - '/' + - '/packages/**' + - '/examples/**' + schedule: + interval: 'weekly' + open-pull-requests-limit: 5 + groups: + npm-dependencies: + patterns: + - '*' + + # GitHub Actions used in .github/workflows. + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' + open-pull-requests-limit: 5 + groups: + github-actions: + patterns: + - '*'