Limit Dependabot to security updates and refresh dependencies#464
Merged
Conversation
Set open-pull-requests-limit to 0 for every ecosystem so Dependabot no longer opens routine version-update pull requests. This limit does not affect security updates, which Dependabot continues to open automatically when a vulnerability is reported. Merging this change also makes Dependabot close the existing version-update pull requests, since they no longer match the configuration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bump all module dependencies to their latest versions (go get -u). The goavro upgrade (v2.12.0 -> v2.15.0) tightened Avro union encoding: a non-nil union value must be a single-key map keyed by the branch's type name. The emulator encoded a nullable nested record as a bare record map, which goavro v2.12.0 tolerated but v2.15.0 rejects, so the Storage Read API failed to encode any row containing a record field. Fix TableCell.AVROValue to wrap a nullable record value in a union map keyed by the record's full name (namespace + record name), mirroring the three-way REQUIRED/REPEATED/nullable handling already used by AVROType.MarshalJSON for the schema side. The namespace is threaded through from the top-level Avro schema. Also fix TestStorageReadAVRO/TestStorageReadARROW, which deadlocked for the full test timeout whenever the stream failed: t.Fatalf in the reader goroutine ran runtime.Goexit before the trailing close(ch), so the decoder goroutine blocked forever on the channel. The channel is now closed via defer, the goroutines report failures with t.Errorf, and either goroutine cancels a shared context so it can no longer hang the other. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This branch contains two related changes.
1. Limit Dependabot to security updates only
Addresses the request to disable Dependabot for everything except security fixes.
Each ecosystem (
gomod/github-actions/docker) now setsopen-pull-requests-limit: 0, which disables Dependabot's routine version-update pull requests.Per the GitHub documentation,
open-pull-requests-limit: 0disables version updates only and has no effect on security updates. Security updates run under a separate internal limit (10 PRs), so Dependabot will still open pull requests automatically when a vulnerability is reported against a dependency.Once this configuration change is merged, Dependabot automatically closes the existing version-update PRs that no longer match the configuration (the bot-authored PRs #449–#458).
2. Update dependencies to latest and fix AVRO union encoding
All module dependencies are bumped to their latest versions (
go get -u), so the dependency refresh that the closed Dependabot PRs would have done is applied directly here.The
goavroupgrade (v2.12.0 → v2.15.0) tightened Avro union encoding: a non-nil union value must be a single-key map keyed by the branch's type name. The emulator encoded a nullable nested record as a bare record map, which goavro v2.12.0 tolerated but v2.15.0 rejects — so the Storage Read API failed to encode any row containing a record field.TableCell.AVROValuenow wraps a nullable record value in a union map keyed by the record's full name (namespace + record name), mirroring the REQUIRED / REPEATED / nullable handling already used byAVROType.MarshalJSONon the schema side.TestStorageReadAVRO/TestStorageReadARROWpreviously deadlocked for the entire test timeout whenever the stream failed:t.Fatalfin the reader goroutine ranruntime.Goexitbefore the trailingclose(ch), so the decoder goroutine blocked forever on the channel. The channel is now closed viadefer, failures are reported witht.Errorf, and a shared cancelable context lets either goroutine unblock the other.Verified: full
go test ./server/...suite and all non-e2e packages pass;go vet ./server/...is clean.References
🤖 Generated with Claude Code