chore: stop Dependabot version-update PRs (keep alerts)#93
Merged
Conversation
Dependabot version updates (weekly npm + monthly github-actions) open PRs that each trigger the full CI gauntlet, and the npm updater fails outright trying to resolve the pnpm `effect` override (`dependency_file_not_resolvable`), painting a recurring red X on main. Version updates are PR-only — there is no "open an issue instead" mode — so the way to stop the churn is to remove the version-updater. Removing .github/dependabot.yml disables version updates (no PRs, no CI, no red X). Dependabot ALERTS stay enabled at the repo level (Security tab), so vulnerable dependencies are still surfaced as notifications — no PRs, no CI. Automated security-fix PRs remain enabled (rare, only for real vulnerabilities with a fix); toggle off separately if truly zero PRs is wanted. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KxU3Y8XueHqfteVGA4KdEh
📝 WalkthroughWalkthroughThe ChangesDependabot Configuration Removal
Estimated code review effort: 1 (Trivial) | ~2 minutes Related issues: None specified. Suggested labels: dependencies, chore Suggested reviewers: None specified. 🐰 A file once watched dependencies grow, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependabot version updates open a PR per group that each runs the full CI gauntlet, and the npm updater fails resolving the pnpm
effectoverride — a recurring red X on main.Version updates are PR-only (no issue mode), so this removes
.github/dependabot.ymlto disable them: no PRs, no CI, no red X.Kept: Dependabot alerts (Security tab) still surface vulnerable deps as notifications — no PRs, no CI. Automated security-fix PRs remain on (rare, real vulns only) — can be toggled off separately for truly zero PRs.
🤖 Generated with Claude Code
Summary by CodeRabbit
Greptile Summary
This PR removes the Dependabot version-update configuration. The main change is:
.github/dependabot.yml, stopping scheduled npm and GitHub Actions dependency update PRs.Confidence Score: 5/5
Safe to merge; the change only removes scheduled dependency-update configuration.
The diff is limited to deleting the Dependabot version-update config, with no application runtime, build, or security-alert behavior changed in the repository code.
What T-Rex did
Reviews (1): Last reviewed commit: "chore: stop Dependabot version-update PR..." | Re-trigger Greptile