ci: add npm and pre-commit ecosystems to Dependabot#369
Conversation
- Add npm ecosystem covering /web, /site, and /.github directories - Add pre-commit ecosystem (newly supported by Dependabot as of 2026-03-10) - Pin wrangler via lockfile (.github/package.json + package-lock.json) instead of bare `npm i wrangler@version` to resolve Scorecard Pinned-Dependencies alert #32 - Update pages-preview.yml to use `npm ci --prefix .github` - Disable pre-commit.ci autoupdate (Dependabot now owns version bumps) - Add .github/node_modules/ to .gitignore
Dependency ReviewThe following issues were found:
|
|
Caution Review failedPull request was closed or merged during review Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughSummary by CodeRabbit
WalkthroughAdds Dependabot entries for pre-commit and npm (including a CI-only npm target), introduces a CI-scoped Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant PR as "Pull Request"
participant GHA as "GitHub Actions (pages-preview)"
participant Repo as "Repository (sparse-checkout)"
participant NPM as "npm / package-lock"
participant Wrangler as "wrangler (npx --prefix .github)"
rect rgba(200,200,255,0.5)
PR->>GHA: Trigger pages-preview workflow
end
rect rgba(200,255,200,0.5)
GHA->>Repo: Checkout repo (sparse: .github/package.json + lockfile)
Repo-->>GHA: Provide package.json and package-lock.json
end
rect rgba(255,230,200,0.5)
GHA->>NPM: npm ci --ignore-scripts --prefix .github (use lockfile)
NPM-->>GHA: Install CI tooling into .github/node_modules
end
rect rgba(240,200,255,0.5)
GHA->>Wrangler: npx --prefix .github wrangler deploy
Wrangler-->>GHA: Deploy to Cloudflare Pages
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
📝 Coding Plan
Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the project's dependency management and security posture. It centralizes automated dependency updates for both npm packages and pre-commit hooks under Dependabot, ensuring consistent and timely updates across various parts of the codebase. Furthermore, it addresses a security concern by explicitly pinning the 'wrangler' dependency via a lockfile, aligning with best practices for supply chain security. These changes streamline CI processes and reduce manual overhead for dependency maintenance. Highlights
Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Code Review
This pull request enhances your Dependabot configuration by adding support for the npm and pre-commit ecosystems. It also pins the wrangler dependency using a lockfile for better security and OSSF Scorecard compliance. The changes are well-structured and clearly explained. I have one suggestion to improve the maintainability of the npm configuration.
| - package-ecosystem: npm | ||
| directories: | ||
| - /web | ||
| - /site | ||
| - /.github | ||
| schedule: | ||
| interval: daily | ||
| time: "06:00" | ||
| timezone: Etc/UTC | ||
| commit-message: | ||
| prefix: "chore" | ||
| groups: | ||
| minor-and-patch: | ||
| update-types: [minor, patch] | ||
| open-pull-requests-limit: 10 | ||
| reviewers: | ||
| - Aureliolo | ||
| labels: | ||
| - type:chore |
There was a problem hiding this comment.
For better separation of concerns and future flexibility, consider splitting this npm configuration into two separate blocks: one for application dependencies (/web, /site) and another for CI tooling dependencies (/.github).
This would allow you to apply different settings to each group. For example, the suggested change below:
- Uses a more specific label
type:cifor the/.githubdependencies, which would be consistent with yourgithub-actionsconfiguration. - Sets a separate
open-pull-requests-limitfor each group, which can be tuned independently in the future.
- package-ecosystem: npm
directories:
- /web
- /site
schedule:
interval: daily
time: "06:00"
timezone: Etc/UTC
commit-message:
prefix: "chore"
groups:
minor-and-patch:
update-types: [minor, patch]
open-pull-requests-limit: 10
reviewers:
- Aureliolo
labels:
- type:chore
- package-ecosystem: npm
directory: /.github
schedule:
interval: daily
time: "06:00"
timezone: Etc/UTC
commit-message:
prefix: "chore"
groups:
minor-and-patch:
update-types: [minor, patch]
open-pull-requests-limit: 5
reviewers:
- Aureliolo
labels:
- type:ci
Greptile SummaryThis PR completes the Dependabot coverage story by adding
Confidence Score: 4/5
Important Files Changed
Prompt To Fix All With AIThis is a comment left during a code review.
Path: .github/workflows/dependency-review.yml
Line: 56-58
Comment:
**Version-pinned sharp PURLs will break future Dependabot PRs**
`allow-dependencies-licenses` uses exact-version PURLs for `@img/sharp-*` packages. Now that this PR enables Dependabot for both `/.github` (wrangler) and `/site` (Astro), future Dependabot PRs that bump either of those packages may transitively pull in a newer version of `@img/sharp-*`. When that happens, the new version won't match `@0.33.5` and the dependency-review gate will fail, blocking the Dependabot PR even though the license hasn't changed.
The fix is to drop the version qualifier from the PURL, which matches any version of the package:
```suggestion
pkg:npm/@img/sharp-wasm32,
pkg:npm/@img/sharp-win32-ia32,
pkg:npm/@img/sharp-win32-x64
```
The same staleness risk exists for the PyPI entries (`mem0ai@1.0.5`, `numpy@2.4.3`, etc.) which were already there before this PR, but those will now surface sooner once Dependabot starts creating npm PRs that exercise this action more frequently.
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: 5f10cc0 |
There was a problem hiding this comment.
Pull request overview
This PR extends dependency automation and CI supply-chain hardening by adding new Dependabot ecosystems (npm + pre-commit), switching the Cloudflare Pages preview deploy to a lockfile-pinned Wrangler install, and disabling pre-commit.ci’s own autoupdates to avoid duplicate version-bump PRs.
Changes:
- Add Dependabot support for
pre-commitandnpm(covering/web,/site, and/.github). - Pin
wranglerfor CI via.github/package.json+package-lock.jsonand update the Pages preview workflow to install vianpm ci --prefix .github. - Update repo hygiene/config: disable pre-commit.ci autoupdates and ignore
.github/node_modules/.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.pre-commit-config.yaml |
Disables pre-commit.ci autoupdate scheduling so Dependabot owns hook rev bumps. |
.gitignore |
Ignores .github/node_modules/ created by CI tooling installs. |
.github/workflows/pages-preview.yml |
Switches preview deploy to lockfile-based Wrangler install and invocation. |
.github/package.json |
Adds CI-only npm manifest to pin Wrangler via lockfile. |
.github/package-lock.json |
Provides hash-pinned dependency graph for Wrangler install in CI. |
.github/dependabot.yml |
Adds new Dependabot ecosystems for pre-commit and npm dependency updates. |
Files not reviewed (1)
- .github/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| npm ci --ignore-scripts --prefix .github | ||
| npx --prefix .github wrangler pages deploy _site --project-name=synthorg-pr-preview --branch="pr-${PR_NUMBER}" |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #369 +/- ##
=======================================
Coverage 93.90% 93.90%
=======================================
Files 447 447
Lines 20819 20819
Branches 2011 2011
=======================================
Hits 19551 19551
Misses 981 981
Partials 287 287 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…ewers - Add sparse checkout step in deploy-preview job so npm ci --prefix .github can find package.json/lockfile (CRITICAL — caught by infra-reviewer, Greptile, Copilot) - Split npm Dependabot config into app deps (type:chore) and CI tooling (type:ci) per Gemini suggestion - Update CLAUDE.md Dependabot section to list all 6 ecosystems - Document .github/package.json CI tooling in PR Preview section - Document pre-commit.ci autoupdate disabled in Git section - Add GitHub Actions and pre-commit rows to docs/security.md dependency management table
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pages-preview.yml:
- Around line 225-233: Move the "Checkout CI tooling (wrangler lockfile)" step
to run before the artifact download step and pin it to the PR commit by adding
ref: ${{ needs.build.outputs.head_sha }}; also disable workspace-cleaning by
setting clean: false (or ensure it won't remove the _site artifact) and keep
persist-credentials: false and the sparse-checkout entries intact so the
checkout does not delete the downloaded _site and uses the PR's wrangler tooling
rather than the default branch.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: e43ccdcf-cbc8-4074-8238-d49ef65613cb
📒 Files selected for processing (4)
.github/dependabot.yml.github/workflows/pages-preview.ymlCLAUDE.mddocs/security.md
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Greptile Review
- GitHub Check: Test (Python 3.14)
🧰 Additional context used
📓 Path-based instructions (1)
docs/**/*.md
📄 CodeRabbit inference engine (CLAUDE.md)
Documentation source in
docs/built with Zensical. Design spec indocs/design/(7 pages). Architecture indocs/architecture/. Roadmap indocs/roadmap/. Security indocs/security.md.
Files:
docs/security.md
🧠 Learnings (6)
📚 Learning: 2026-03-13T21:03:58.907Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-13T21:03:58.907Z
Learning: Pre-commit hooks enforce: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint (Dockerfile linting).
Applied to files:
.github/workflows/pages-preview.ymlCLAUDE.md.github/dependabot.ymldocs/security.md
📚 Learning: 2026-03-13T21:03:58.907Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-13T21:03:58.907Z
Learning: Pre-push hooks run: mypy type-check + pytest unit tests (fast gate before push).
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-13T21:03:58.907Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-13T21:03:58.907Z
Learning: Use `gh issue list` via Bash for GitHub issue queries — MCP `list_issues` has unreliable field data.
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-13T21:03:58.907Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-13T21:03:58.907Z
Learning: After finishing an issue implementation, create a feature branch (`<type>/<slug>`), commit, and push — do NOT create a PR automatically. Do NOT leave work uncommitted on main.
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-13T21:03:58.907Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-13T21:03:58.907Z
Learning: NEVER create a PR directly — use `/pre-pr-review` to create PRs, which runs automated checks + review agents + fixes before creating the PR. For trivial/docs-only changes use `/pre-pr-review quick`.
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-13T21:03:58.906Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-13T21:03:58.906Z
Learning: Applies to docker/Dockerfile* : Dockerfile lint: all 3 Dockerfiles (backend, web, sandbox) checked via hadolint in CI and via hadolint-docker pre-commit hook locally.
Applied to files:
CLAUDE.md
🪛 LanguageTool
CLAUDE.md
[uncategorized] ~215-~215: The official name of this software platform is spelled with a capital “H”.
Context: ...ject) via lockfile-pinned wrangler from .github/package.json (CI-only tooling, Dependa...
(GITHUB)
docs/security.md
[uncategorized] ~134-~134: The official name of this software platform is spelled with a capital “H”.
Context: ... updates via lockfile (/web, /site, /.github) | | GitHub Actions | Dependabot | Dai...
(GITHUB)
🔇 Additional comments (3)
docs/security.md (1)
134-136: Security dependency table update is accurate and consistent with the new automation scope..github/dependabot.yml (1)
38-90: Dependabot expansion is well-structured and cleanly separates app vs CI update streams.CLAUDE.md (1)
189-189: Process docs are updated consistently with the new Dependabot + lockfile-based preview deployment flow.Also applies to: 215-215, 224-224
Checkout with clean: true (default) was wiping the _site/ artifact. Moving checkout first ensures sparse checkout runs on a fresh workspace, then download-artifact safely adds _site/ alongside. Pin to PR commit via ref so the lockfile matches the PR's code.
There was a problem hiding this comment.
Pull request overview
Adds broader automated dependency management and improves CI supply-chain pinning by extending Dependabot coverage (npm + pre-commit) and switching Pages preview deployment tooling to a lockfile-pinned wrangler install.
Changes:
- Add Dependabot updates for
pre-commithooks and npm dependencies across/web,/site, and/.github. - Pin Cloudflare
wranglerfor the Pages preview workflow via.github/package.json+package-lock.jsonand switch workflow install tonpm ci --prefix .github. - Disable pre-commit.ci autoupdate and update documentation/ignore rules accordingly.
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/dependabot.yml |
Adds pre-commit and npm ecosystems (including multi-directory npm coverage). |
.github/workflows/pages-preview.yml |
Installs wrangler from .github lockfile and uses it for Pages preview deploys. |
.github/package.json |
Introduces a CI-only npm package to pin wrangler. |
.github/package-lock.json |
Provides hash-pinned, reproducible installs for CI tooling. |
.pre-commit-config.yaml |
Disables pre-commit.ci autoupdate to avoid duplicate version-bump PRs. |
.gitignore |
Ignores .github/node_modules/ produced by CI tooling install. |
docs/security.md |
Documents expanded Dependabot coverage (npm + pre-commit). |
CLAUDE.md |
Updates repo workflow/conventions notes to reflect new dependency update ownership and wrangler pinning. |
Files not reviewed (1)
- .github/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| npm i --no-save --ignore-scripts wrangler@3.114.17 | ||
| npx wrangler pages deploy _site --project-name=synthorg-pr-preview --branch="pr-${PR_NUMBER}" | ||
| npm ci --ignore-scripts --prefix .github | ||
| npx --prefix .github wrangler pages deploy _site --project-name=synthorg-pr-preview --branch="pr-${PR_NUMBER}" |
sharp platform binaries use compound AND licenses (e.g. "Apache-2.0 AND LGPL-3.0-or-later") where all constituents are in the allowlist, but the action doesn't split AND expressions. CI-only transitive dep via wrangler, no licensing impact.
The deploy-preview job has access to CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID secrets. Checking out package-lock.json from the PR head (needs.build.outputs.head_sha) would allow a malicious PR to supply a crafted lockfile that resolves to trojanized packages. Omitting ref defaults to the default branch (main), ensuring the lockfile comes from trusted, reviewed code.
- Pin @img/sharp-* exemptions to @0.33.5 for consistency with the versioned Python PURL pattern - Add explicit ref: main to the CI tooling checkout step so the intent is unambiguous (matches the step name)
There was a problem hiding this comment.
Pull request overview
This PR expands automated dependency maintenance and hardens CI tooling installs by adding Dependabot coverage for npm and pre-commit, and by moving the Cloudflare wrangler install to a lockfile-pinned npm workspace under /.github.
Changes:
- Add Dependabot update configs for
pre-commitandnpm(covering/web,/site, and/.github), and document the added ecosystems. - Introduce
/.github/package.json+package-lock.jsonto lockfile-pinwrangler, and updatepages-preview.ymlto install vianpm ci --prefix .github. - Disable pre-commit.ci autoupdates and adjust dependency-review allowlist entries for newly introduced npm transitive deps.
Reviewed changes
Copilot reviewed 7 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/security.md | Updates supply-chain dependency management documentation to include new Dependabot ecosystems. |
| CLAUDE.md | Documents pre-commit.ci autoupdate disablement and lockfile-pinned wrangler usage in CI. |
| .pre-commit-config.yaml | Disables pre-commit.ci autoupdate schedule to avoid duplicate version-bump PRs. |
| .gitignore | Ignores /.github/node_modules/ produced by CI-only tooling installs. |
| .github/workflows/pages-preview.yml | Switches wrangler install to lockfile-based npm ci --prefix .github and uses it for Pages deploys. |
| .github/workflows/dependency-review.yml | Adds allowlist entries for certain npm packages (sharp platform binaries) introduced transitively via wrangler. |
| .github/package.json | Adds a CI-only npm manifest to pin wrangler as a dependency. |
| .github/package-lock.json | Adds the lockfile to hash-pin transitive dependencies for CI tooling. |
| .github/dependabot.yml | Adds Dependabot entries for pre-commit and npm ecosystems (including /.github). |
Files not reviewed (1)
- .github/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout CI tooling (wrangler lockfile from main) | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| with: | ||
| ref: main |
| npm i --no-save --ignore-scripts wrangler@3.114.17 | ||
| npx wrangler pages deploy _site --project-name=synthorg-pr-preview --branch="pr-${PR_NUMBER}" | ||
| npm ci --ignore-scripts --prefix .github | ||
| npx --prefix .github wrangler pages deploy _site --project-name=synthorg-pr-preview --branch="pr-${PR_NUMBER}" |
🤖 I have created a release *beep* *boop* --- ## [0.1.4](v0.1.3...v0.1.4) (2026-03-14) ### Features * add approval workflow gates to TaskEngine ([#387](#387)) ([2db968a](2db968a)) * implement checkpoint recovery strategy ([#367](#367)) ([f886838](f886838)) ### CI/CD * add npm and pre-commit ecosystems to Dependabot ([#369](#369)) ([54e5fe7](54e5fe7)) * bump actions/setup-node from 4.4.0 to 6.3.0 ([#360](#360)) ([2db5105](2db5105)) * bump github/codeql-action from 3.32.6 to 4.32.6 ([#361](#361)) ([ce766e8](ce766e8)) * group major dependabot bumps per ecosystem ([#388](#388)) ([3c43aef](3c43aef)) ### Maintenance * bump @vitejs/plugin-vue from 5.2.4 to 6.0.5 in /web ([#382](#382)) ([d7054ee](d7054ee)) * bump @vue/tsconfig from 0.7.0 to 0.9.0 in /web in the minor-and-patch group across 1 directory ([#371](#371)) ([64fa08b](64fa08b)) * bump astro from 5.18.1 to 6.0.4 in /site ([#376](#376)) ([d349317](d349317)) * bump https://github.com/astral-sh/ruff-pre-commit from v0.15.5 to 0.15.6 ([#372](#372)) ([dcacb2e](dcacb2e)) * bump https://github.com/gitleaks/gitleaks from v8.24.3 to 8.30.1 ([#375](#375)) ([a18e6ed](a18e6ed)) * bump https://github.com/hadolint/hadolint from v2.12.0 to 2.14.0 ([#373](#373)) ([47b906b](47b906b)) * bump https://github.com/pre-commit/pre-commit-hooks from v5.0.0 to 6.0.0 ([#374](#374)) ([1926555](1926555)) * bump litellm from 1.82.1 to 1.82.2 in the minor-and-patch group ([#385](#385)) ([fa4f7b7](fa4f7b7)) * bump node from 22-alpine to 25-alpine in /docker/web ([#359](#359)) ([8d56cd3](8d56cd3)) * bump node from 22-slim to 25-slim in /docker/sandbox ([#358](#358)) ([3de8748](3de8748)) * bump pinia from 2.3.1 to 3.0.4 in /web ([#381](#381)) ([c78dcc2](c78dcc2)) * bump the major group across 1 directory with 9 updates ([#389](#389)) ([9fa621b](9fa621b)) * bump the minor-and-patch group with 2 updates ([#362](#362)) ([6ede2ce](6ede2ce)) * bump vue-router from 4.6.4 to 5.0.3 in /web ([#378](#378)) ([6c60f6c](6c60f6c)) * expand review skills to 18 smart conditional agents ([#364](#364)) ([494013f](494013f)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Summary
/web,/site, and/.githubdirectories — previously no npm dependencies were auto-updatedrev:tags.github/package.json+package-lock.json) instead of barenpm i wrangler@version, resolving OSSF Scorecard Pinned-Dependencies alert Design individual agent memory interface: working, episodic, semantic, procedural (DESIGN_SPEC §7.1-7.3) #32 (9/9 npm commands now hash-pinned)pages-preview.ymlto usenpm ci --prefix .github(lockfile-based install)autoupdate_schedule: never) — Dependabot now owns version bumps, avoiding duplicate PRs.github/node_modules/to.gitignoreAll 6 Dependabot ecosystems are now on daily schedule:
uv,github-actions,pre-commit,npm,docker(x3).Test plan
pages-preview.ymldeploy step works withnpm ci --prefix .github(wrangler installs from lockfile)🤖 Generated with Claude Code