Skip to content

chore(dependabot): stop opening PRs for major version bumps#2900

Open
piyalbasu wants to merge 1 commit into
masterfrom
chore/dependabot-drop-major-version-updates
Open

chore(dependabot): stop opening PRs for major version bumps#2900
piyalbasu wants to merge 1 commit into
masterfrom
chore/dependabot-drop-major-version-updates

Conversation

@piyalbasu

Copy link
Copy Markdown
Contributor

TL;DR

Adopt freighter-mobile's posture: Dependabot no longer opens PRs for major version bumps. Grouping all majors into one PR meant a single migration-heavy major (jest 30 / Babel 8) held ~40 trivially-safe majors hostage in a perpetually-red PR that regenerates weekly and can never merge as-is (see the trail of #2864#2889#2898). Majors become deliberate, human-initiated upgrades instead. Minor/patch currency and — importantly — security updates are unaffected, including security fixes that require a major bump.

Implementation details

.github/dependabot.yml (npm ecosystem only):

  • Added ignore: [{ dependency-name: "*", update-types: ["version-update:semver-major"] }].
  • Removed the now-moot major version-update group. minor-and-patch + security groups, weekly schedule, and 7-day cooldown are unchanged; open-pull-requests-limit stays 2.

Why security is safe: per the Dependabot options reference and the ignore changelog, ignore update-types apply only to version updates. Dependabot security updates run independently (separate internal PR limit) and still open a PR to the minimum patched version even when the fix is a major bump.

Verification: YAML parses; the npm ecosystem resolves to minor-and-patch + security groups with the semver-major ignore rule.

Grouping all majors into one PR meant a single migration-heavy major
(e.g. jest 30 / babel 8) held ~40 trivially-safe majors hostage in one
perpetually-red PR that could never merge as-is.

Rather than trade that for a stream of one-PR-per-major, adopt
freighter-mobile's posture: don't open version-update PRs for majors at
all (ignore version-update:semver-major for every dependency). Majors
become deliberate, human-initiated upgrades.

Unaffected:
- minor/patch version updates (still grouped, still weekly w/ 7d cooldown)
- Dependabot SECURITY updates -- per GitHub docs, `ignore` update-types
  apply only to version updates, so a vulnerability that needs a major
  bump still gets a security PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 14, 2026 15:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts Dependabot configuration to stop generating routine major version-update PRs for npm dependencies, reducing churn and avoiding perpetually-red “all majors” upgrade PRs while keeping minor/patch currency and security updates flowing.

Changes:

  • Added a Dependabot ignore rule to skip version-update:semver-major for all npm dependencies.
  • Removed the now-moot major version-update group, leaving minor-and-patch and security groups intact.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/dependabot.yml
default-days: 7
# Do not open version-update PRs for major bumps -- they are almost always
# breaking-change migrations that don't belong in routine currency churn
# (mirrors freighter-mobile's security-only posture). Minor/patch currency
@github-actions

Copy link
Copy Markdown
Contributor

PR Preview build is ready: https://github.com/stellar/freighter/releases/tag/untagged-88bcec6ff3816b9dad43 (SDF collaborators only — install instructions in the release description)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants