Skip to content

chore: stop Dependabot version-update PRs (keep alerts)#93

Merged
heyoub merged 1 commit into
mainfrom
chore/disable-dependabot-version-updates
Jul 1, 2026
Merged

chore: stop Dependabot version-update PRs (keep alerts)#93
heyoub merged 1 commit into
mainfrom
chore/disable-dependabot-version-updates

Conversation

@heyoub

@heyoub heyoub commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Dependabot version updates open a PR per group that each runs the full CI gauntlet, and the npm updater fails resolving the pnpm effect override — a recurring red X on main.

Version updates are PR-only (no issue mode), so this removes .github/dependabot.yml to disable them: no PRs, no CI, no red X.

Kept: Dependabot alerts (Security tab) still surface vulnerable deps as notifications — no PRs, no CI. Automated security-fix PRs remain on (rare, real vulns only) — can be toggled off separately for truly zero PRs.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Removed automated dependency update configuration. This may reduce background maintenance activity, but does not change app features or user-facing behavior.

Greptile Summary

This PR removes the Dependabot version-update configuration. The main change is:

  • Deleted .github/dependabot.yml, stopping scheduled npm and GitHub Actions dependency update PRs.

Confidence Score: 5/5

Safe to merge; the change only removes scheduled dependency-update configuration.

The diff is limited to deleting the Dependabot version-update config, with no application runtime, build, or security-alert behavior changed in the repository code.

T-Rex T-Rex Logs

What T-Rex did

  • Observed Dependabot config version 2 showing npm weekly grouped updates and github-actions monthly updates.
  • After the change, .github/dependabot.yml is absent at head, a deletion diff for the file was captured, and assertions passed that no dependency manifests or workflows changed, noting that local repo inspection cannot observe GitHub admin/security settings.

View all artifacts

T-Rex Ran code and verified through T-Rex

Reviews (1): Last reviewed commit: "chore: stop Dependabot version-update PR..." | Re-trigger Greptile

Dependabot version updates (weekly npm + monthly github-actions) open PRs that
each trigger the full CI gauntlet, and the npm updater fails outright trying to
resolve the pnpm `effect` override (`dependency_file_not_resolvable`), painting a
recurring red X on main. Version updates are PR-only — there is no "open an issue
instead" mode — so the way to stop the churn is to remove the version-updater.

Removing .github/dependabot.yml disables version updates (no PRs, no CI, no red
X). Dependabot ALERTS stay enabled at the repo level (Security tab), so vulnerable
dependencies are still surfaced as notifications — no PRs, no CI. Automated
security-fix PRs remain enabled (rare, only for real vulnerabilities with a fix);
toggle off separately if truly zero PRs is wanted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KxU3Y8XueHqfteVGA4KdEh
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The .github/dependabot.yml configuration file was deleted, removing all Dependabot update settings for the npm ecosystem (weekly schedule, grouping rules, labels, PR limits) and github-actions ecosystem (monthly schedule, labels, PR limit).

Changes

Dependabot Configuration Removal

Layer / File(s) Summary
Remove Dependabot configuration
.github/dependabot.yml
Entire Dependabot update configuration file deleted, removing npm and github-actions update schedules, grouping rules, labels, and PR limits.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Related issues: None specified.

Suggested labels: dependencies, chore

Suggested reviewers: None specified.

🐰 A file once watched dependencies grow,
Now silent, deleted, no more to show,
No weekly bumps, no monthly cheer,
Dependabot's config disappears here.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes removing Dependabot version-update PRs while keeping alerts enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/disable-dependabot-version-updates

Comment @coderabbitai help to get the list of available commands.

@heyoub heyoub merged commit 80f9682 into main Jul 1, 2026
11 checks passed
@heyoub heyoub deleted the chore/disable-dependabot-version-updates branch July 1, 2026 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant