chore(dependabot): stop opening PRs for major version bumps#2900
Open
piyalbasu wants to merge 1 commit into
Open
chore(dependabot): stop opening PRs for major version bumps#2900piyalbasu wants to merge 1 commit into
piyalbasu wants to merge 1 commit into
Conversation
Grouping all majors into one PR meant a single migration-heavy major (e.g. jest 30 / babel 8) held ~40 trivially-safe majors hostage in one perpetually-red PR that could never merge as-is. Rather than trade that for a stream of one-PR-per-major, adopt freighter-mobile's posture: don't open version-update PRs for majors at all (ignore version-update:semver-major for every dependency). Majors become deliberate, human-initiated upgrades. Unaffected: - minor/patch version updates (still grouped, still weekly w/ 7d cooldown) - Dependabot SECURITY updates -- per GitHub docs, `ignore` update-types apply only to version updates, so a vulnerability that needs a major bump still gets a security PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts Dependabot configuration to stop generating routine major version-update PRs for npm dependencies, reducing churn and avoiding perpetually-red “all majors” upgrade PRs while keeping minor/patch currency and security updates flowing.
Changes:
- Added a Dependabot
ignorerule to skipversion-update:semver-majorfor all npm dependencies. - Removed the now-moot
majorversion-update group, leavingminor-and-patchandsecuritygroups intact.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| default-days: 7 | ||
| # Do not open version-update PRs for major bumps -- they are almost always | ||
| # breaking-change migrations that don't belong in routine currency churn | ||
| # (mirrors freighter-mobile's security-only posture). Minor/patch currency |
Contributor
|
PR Preview build is ready: https://github.com/stellar/freighter/releases/tag/untagged-88bcec6ff3816b9dad43 (SDF collaborators only — install instructions in the release description) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Adopt freighter-mobile's posture: Dependabot no longer opens PRs for major version bumps. Grouping all majors into one PR meant a single migration-heavy major (jest 30 / Babel 8) held ~40 trivially-safe majors hostage in a perpetually-red PR that regenerates weekly and can never merge as-is (see the trail of #2864 → #2889 → #2898). Majors become deliberate, human-initiated upgrades instead. Minor/patch currency and — importantly — security updates are unaffected, including security fixes that require a major bump.
Implementation details
.github/dependabot.yml(npm ecosystem only):ignore: [{ dependency-name: "*", update-types: ["version-update:semver-major"] }].majorversion-update group.minor-and-patch+securitygroups, weekly schedule, and 7-day cooldown are unchanged;open-pull-requests-limitstays 2.Why security is safe: per the Dependabot options reference and the ignore changelog,
ignoreupdate-typesapply only to version updates. Dependabot security updates run independently (separate internal PR limit) and still open a PR to the minimum patched version even when the fix is a major bump.Verification: YAML parses; the npm ecosystem resolves to
minor-and-patch+securitygroups with the semver-major ignore rule.