Skip to content

ci: switch dependabot to security-only updates#36

Merged
jal-co merged 1 commit into
mainfrom
ci/dependabot-security-only
May 31, 2026
Merged

ci: switch dependabot to security-only updates#36
jal-co merged 1 commit into
mainfrom
ci/dependabot-security-only

Conversation

@jal-co

@jal-co jal-co commented May 31, 2026

Copy link
Copy Markdown
Owner

What

Switches Dependabot to security-only mode: sets open-pull-requests-limit: 0 on all three ecosystems, which disables routine version-bump PRs while still letting Dependabot security updates open PRs for real advisories.

Why

The routine weekly version-update PRs (e.g. #34, #35) were too noisy for this repo. This keeps the valuable part — automated PRs for actual CVEs — without the churn. Repo-level alerts and automated security fixes stay enabled, so vulnerabilities are still surfaced and patched.

#34 and #35 (version-update PRs) were closed as part of this change.

Closes #

Type

  • ci — CI/CD changes

How

  • open-pull-requests-limit: 0 per ecosystem → Dependabot opens no version-update PRs, but still opens security-update PRs (this is the documented behaviour).
  • Removed the per-ecosystem version-update groups (only relevant to version updates).
  • Kept the watched ecosystems (npm root, npm /www, github-actions), Conventional Commit prefixes, and labels so any security PR stays tidy and passes commit-check.

Testing

  • commit-check --branch / --message — pass
  • Config validated: 3 ecosystems, each with open-pull-requests-limit: 0
  • No code changed.

Screenshots

N/A — CI configuration.

@jal-co
ci: switch dependabot to security-only updates
f566671 
Sets open-pull-requests-limit: 0 on all three ecosystems, which disables
routine version-bump PRs while Dependabot security updates still open
PRs for actual advisories. Removes the per-ecosystem version-update
groups, which no longer apply. Keeps the watched ecosystems, commit
prefixes, and labels so security PRs stay tidy and pass commit-check.
@vercel

vercel Bot commented May 31, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scn-stack Ready Ready Preview, Comment May 31, 2026 3:12am

Request Review

@github-actions github-actions Bot added the ci CI/CD and workflow changes label May 31, 2026
@jal-co jal-co merged commit 1d55e1c into main May 31, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI/CD and workflow changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jal-co