Conversation
Mark fixture trees (package.json, lockfiles) as linguist-generated in .gitattributes so GitHub's dependency graph ignores them. This stops Dependabot from raising alerts and opening automatic security-update PRs for packages that appear in fixtures only as test data — e.g. the js-cookie bump in #11840. The `@pnpm/test-fixtures` helper package is real source and is intentionally left unmarked.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe ChangesFixture directory linguist attributes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoExclude fixture manifests from GitHub dependency graph via .gitattributes Description
Diagram
High-Level Assessment
Files changed (1)
|
Problem
Dependabot regularly opens noisy PRs (and raises alerts) to bump dependencies that exist in the repo only as test-fixture data, never as packages we actually install — for example the
js-cookiebump in #11840.The cause: GitHub's dependency graph scans every
package.json/lockfile in the repo, including the hundreds under fixture directories. Those fixtures reference real package names (js-cookie,eslint,webpack, …) purely to exercise install/resolution logic, so each one becomes a graph entry that Dependabot can alert and open security PRs for.exclude-pathsindependabot.ymldoes not help here — it only suppresses version updates, not the security updates these PRs are.Fix
Mark the fixture trees as
linguist-generatedin.gitattributes:GitHub's dependency graph reuses Linguist's vendored/generated classification, so generated-marked manifests are excluded from the graph — and therefore from Dependabot alerts and automatic security-update PRs. As a bonus, fixtures collapse in diffs.
The
@pnpm/test-fixtureshelper package (__utils__/test-fixtures) is real source and is intentionally left unmarked. Verified withgit check-attr linguist-generatedthat every fixture manifest is matched while real source, the rootpackage.json, and the dist bundle are not.Fixtures keep their
package.jsonnames and locations, so no test, loader, or build step changes.Verification needed after merge
GitHub documents directory-name and size/count exclusions for the dependency graph but does not explicitly document
.gitattributes-based exclusion, so this should be confirmed on the default branch:If the graph still lists them, the documented-certain fallback is to move fixtures under a vendored-named directory (e.g.
external/), which GitHub excludes by name.Written by an agent (Claude Code, claude-opus-4-8).
Summary by CodeRabbit