Dependabot: Add npm entry so security update PRs can be rebased#79076
Dependabot: Add npm entry so security update PRs can be rebased#79076manzoorwanijk wants to merge 2 commits into
Conversation
Dependabot security updates run independently of dependabot.yml and open npm PRs even though only the github-actions ecosystem is configured. Without an npm entry those PRs have no owning config, so rebase/recreate fail. Add an npm entry with open-pull-requests-limit: 0 to give security updates a config owner while keeping noisy version updates disabled.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
9969a6d to
5bfa5f1
Compare
|
Flaky tests detected in 295ac56. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/27321031938
|
aduth
left a comment
There was a problem hiding this comment.
I'd be curious if folks like @desrosj would be interested to keep and continue maintaining the dependency updates for non-security updates? There's some engagement here on our part.
| # disables noisy npm *version* updates across the monorepo; | ||
| # *security* updates ignore this limit and keep running. | ||
| open-pull-requests-limit: 0 | ||
| cooldown: | ||
| default-days: 7 | ||
| labels: | ||
| - 'dependencies' | ||
| - '[Type] Build Tooling' |
There was a problem hiding this comment.
I'm trying to understand this configuration in relation to the behavior you describe in the original comment. If security updates don't consider dependabot.yml, then what's the point of adding cooldown and labels here? Will security updates consider those aspects of the configuration (which for labeling would be great to avoid a little bit of maintainer tedium)? And would we want a cooldown for security updates, or want those immediately?
There was a problem hiding this comment.
Good catch! When a matching ecosystem entry exists, security PRs honor labels (on the default branch) but not cooldown ("only available for version updates"). open-pull-requests-limit is also ignored by security updates.
So labels is the point - it removes the manual labeling tedium you linked. cooldown is inert here (and we wouldn't want to delay security fixes anyway). I'll update it.
What?
Adds an
npmentry to.github/dependabot.ymlso that Dependabot security updates for npm packages have an owning config block. Version updates for npm remain disabled viaopen-pull-requests-limit: 0.Why?
Dependabot security updates run from the repository's security settings, independently of
dependabot.yml, and will open PRs for npm vulnerabilities even though we only configure thegithub-actionsecosystem today. Because there is nonpmentry, those PRs have no owning config, so@dependabot rebaseand@dependabot recreateboth fail with a misleading message:This leaves the only recourse as closing the PR and waiting for the next scan — see the loop on #75964. Adding an
npmecosystem entry gives these security PRs a config owner sorebase/recreatework, and lets us apply consistent labels and a cooldown.We deliberately do not want to enable npm version updates across this monorepo, which would flood the repo with hundreds of PRs. Setting
open-pull-requests-limit: 0disables version updates while leaving security updates unaffected (the limit does not apply to them).How?
package-ecosystem: 'npm'entry rooted at/.open-pull-requests-limit: 0to keep version updates off while security updates continue.cooldownand thedependencies/[Type] Build Toolinglabels, mirroring the existinggithub-actionsconfiguration.Testing Instructions
npx js-yaml .github/dependabot.ymlor any YAML linter).@dependabot rebase/@dependabot recreateinstead of reporting a missing config entry, and should carry the configured labels.Use of AI Tools
This PR was drafted with the assistance of Claude Code. All changes were reviewed by the author.