Skip to content

chore: keep test fixtures out of GitHub's dependency graph#12465

Merged
zkochan merged 1 commit into
mainfrom
dep-fix
Jun 17, 2026
Merged

chore: keep test fixtures out of GitHub's dependency graph#12465
zkochan merged 1 commit into
mainfrom
dep-fix

Conversation

@zkochan

@zkochan zkochan commented Jun 17, 2026

Copy link
Copy Markdown
Member

Problem

Dependabot regularly opens noisy PRs (and raises alerts) to bump dependencies that exist in the repo only as test-fixture data, never as packages we actually install — for example the js-cookie bump in #11840.

The cause: GitHub's dependency graph scans every package.json/lockfile in the repo, including the hundreds under fixture directories. Those fixtures reference real package names (js-cookie, eslint, webpack, …) purely to exercise install/resolution logic, so each one becomes a graph entry that Dependabot can alert and open security PRs for.

exclude-paths in dependabot.yml does not help here — it only suppresses version updates, not the security updates these PRs are.

Fix

Mark the fixture trees as linguist-generated in .gitattributes:

**/fixtures/** linguist-generated
**/__fixtures__/** linguist-generated
**/findPackages-fixtures/** linguist-generated
pnpr/.fixtures/** linguist-generated

GitHub's dependency graph reuses Linguist's vendored/generated classification, so generated-marked manifests are excluded from the graph — and therefore from Dependabot alerts and automatic security-update PRs. As a bonus, fixtures collapse in diffs.

The @pnpm/test-fixtures helper package (__utils__/test-fixtures) is real source and is intentionally left unmarked. Verified with git check-attr linguist-generated that every fixture manifest is matched while real source, the root package.json, and the dist bundle are not.

Fixtures keep their package.json names and locations, so no test, loader, or build step changes.

Verification needed after merge

GitHub documents directory-name and size/count exclusions for the dependency graph but does not explicitly document .gitattributes-based exclusion, so this should be confirmed on the default branch:

  1. Check Insights → Dependency graph — fixture manifests should no longer appear.
  2. Confirm a fixture-only alert (e.g. the chore(deps): bump js-cookie from 3.0.5 to 3.0.7 in /pacquet/crates/testing-utils/src/fixtures/big #11840 class) clears.

If the graph still lists them, the documented-certain fallback is to move fixtures under a vendored-named directory (e.g. external/), which GitHub excludes by name.


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Chores
    • Updated repository configuration to mark fixture directories as generated content, improving GitHub's repository analysis and dependency tracking.

Mark fixture trees (package.json, lockfiles) as linguist-generated in
.gitattributes so GitHub's dependency graph ignores them. This stops
Dependabot from raising alerts and opening automatic security-update PRs
for packages that appear in fixtures only as test data — e.g. the
js-cookie bump in #11840.

The `@pnpm/test-fixtures` helper package is real source and is
intentionally left unmarked.
@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6e5948c5-e699-4c46-a18b-7d66cb91ffba

📥 Commits

Reviewing files that changed from the base of the PR and between 1495cb0 and e5e4c83.

📒 Files selected for processing (1)
  • .gitattributes

📝 Walkthrough

Walkthrough

The .gitattributes file gains eleven lines marking several fixture directory patterns (fixtures/, __fixtures__/, findPackages-fixtures/, pnpr/.fixtures/) as linguist-generated, causing GitHub to collapse those trees and exclude them from the dependency graph and security alerting.

Changes

Fixture directory linguist attributes

Layer / File(s) Summary
linguist-generated rules for fixture paths
.gitattributes
Adds linguist-generated attribute rules for fixtures/, __fixtures__/, findPackages-fixtures/, and pnpr/.fixtures/ directory patterns.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

product: pnpm, product: pnpr

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: keep test fixtures out of GitHub's dependency graph' follows Conventional Commits specification with 'chore:' prefix and clearly describes the main change: preventing test fixtures from being included in GitHub's dependency graph.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dep-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

Exclude fixture manifests from GitHub dependency graph via .gitattributes
⚙️ Configuration changes 🕐 Less than 10 minutes

Grey Divider

Description

• Mark common fixture directories as linguist-generated to exclude their manifests from GitHub’s
 dependency graph.
• Prevent Dependabot security alerts/PRs for packages referenced only in test fixtures.
• Leave real source (e.g. __utils__/test-fixtures) unmarked to preserve normal scanning.
Diagram

graph TD
  Dev["Repo contributors"] --> GA[".gitattributes rules"] --> GH["GitHub Linguist"] --> DG["Dependency graph"] --> DB["Dependabot"]
  FX["Fixture trees"] --> GA
  subgraph Legend
    direction LR
    _cfg["Config"] ~~~ _svc["GitHub service"] ~~~ _data["Repo content"]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Move fixtures under GitHub-excluded directory names (e.g. external/ or vendor/)
  • ➕ Relies on documented dependency-graph exclusions by directory name
  • ➕ Less dependent on Linguist/dependency-graph implementation coupling
  • ➖ Higher churn: path changes across many fixtures
  • ➖ Risk of breaking tests/tools that assume existing fixture paths
  • ➖ Larger diff and review surface area
2. Delete/flatten fixture manifests (replace package.json with minimal metadata)
  • ➕ Eliminates dependency-graph inputs at the source
  • ➕ May reduce fixture maintenance long-term
  • ➖ Likely invalidates fixture realism needed for resolver/install tests
  • ➖ Requires wider test refactors and could reduce coverage fidelity
3. Use separate repo/submodule for fixtures
  • ➕ Clean separation from primary repo dependency graph
  • ➕ Can apply different scanning policies
  • ➖ Operational overhead (syncing, CI wiring)
  • ➖ Harder contributor workflow and review process

Recommendation: The .gitattributes linguist-generated approach is the best tradeoff: minimal churn, preserves fixture structure, and targets GitHub’s indexing behavior directly. Proceed with this change, but explicitly perform the post-merge verification in GitHub’s Dependency graph/Dependabot as noted; if GitHub doesn’t honor the classification for dependency graph, fall back to relocating fixtures under a documented-excluded directory name.

Files changed (1) +11 / -0

Other (1) +11 / -0
.gitattributesMark fixture directories as linguist-generated to suppress dependency scanning +11/-0

Mark fixture directories as linguist-generated to suppress dependency scanning

• Adds 'linguist-generated' patterns for common fixture directory trees ('fixtures', '__fixtures__', 'findPackages-fixtures', 'pnpr/.fixtures'). Includes comments explaining the Dependabot/dependency-graph motivation and explicitly avoids matching real source like '__utils__/test-fixtures'.

.gitattributes

@zkochan zkochan merged commit 9de161c into main Jun 17, 2026
21 checks passed
@zkochan zkochan deleted the dep-fix branch June 17, 2026 07:47
@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant