Skip to content
Open
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
241 changes: 241 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,241 @@
# See help here: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/enabling-and-disabling-version-updates
# Dependabot Configuration for Multi-Domain Projects
# Documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

# ============================================================================
# CUSTOMIZATION GUIDE
# ============================================================================
# 1. Remove package ecosystems not used in your project (e.g., if no Java, remove maven & gradle)
# 2. Update "directory" if dependencies are in subdirectories (e.g., "/backend", "/frontend")
# 3. Adjust "schedule" timing based on your team's workflow
# 4. Set "open-pull-requests-limit" based on your review capacity (default: 5)
# 5. Add reviewers/assignees if needed:
# reviewers:
# - "username" # Individual GitHub user
# - "org/team-name" # Organization team
# assignees:
# - "username"
# 6. Customize labels to match your project's labeling system
# 7. Use "ignore" to exclude specific dependencies or update types
# 8. For monorepos, duplicate sections with different "directory" values
# ============================================================================

version: 2
updates:
# NPM - JavaScript/Node.js projects
# Remove this section if your project doesn't use npm
- package-ecosystem: "npm"
directory: "/" # Change to "/frontend" or "/backend" for monorepos
schedule:
interval: "weekly" # Options: daily, weekly, monthly
day: "monday" # For weekly: monday-sunday
time: "09:00" # UTC time
open-pull-requests-limit: 5 # Max PRs to keep open
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "chore(deps)" # Follows conventional commits
include: "scope"
pull-request-branch-name:
separator: "/" # Creates branches like: dependabot/npm/package-name

# GitHub Actions - Keep workflows up to date (recommended for all projects)
- package-ecosystem: "github-actions"
directory: "/" # Scans .github/workflows/
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Docker - Containerized applications
# Remove this section if your project doesn't use Docker
- package-ecosystem: "docker"
directory: "/" # Directory containing Dockerfile
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "docker"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Bundler - Ruby projects
# Remove this section if your project doesn't use Ruby
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "ruby"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Cargo - Rust projects
# Remove this section if your project doesn't use Rust
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "rust"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Maven - Java projects
# Remove this section if your project uses Gradle instead or doesn't use Java
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "java"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Gradle - Java/Kotlin/Android projects
# Remove this section if your project uses Maven instead or doesn't use Java/Kotlin
- package-ecosystem: "gradle"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "java"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Composer - PHP projects
# Remove this section if your project doesn't use PHP
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "php"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Go Modules - Go projects
# Remove this section if your project doesn't use Go
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "go"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Pip - Python projects (supports pip, pipenv, poetry)
# Remove this section if your project doesn't use Python
- package-ecosystem: "pip"
directory: "/" # Directory containing requirements.txt, Pipfile, or pyproject.toml
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "python"
commit-message:
prefix: "chore(deps)"
include: "scope"
# Uncomment and customize for AI/ML projects to prevent breaking changes:
# ignore:
# - dependency-name: "tensorflow"
# update-types: ["version-update:semver-major"]
# - dependency-name: "torch"
# update-types: ["version-update:semver-major"]
# - dependency-name: "scikit-learn"
# update-types: ["version-update:semver-major"]

# Terraform - Infrastructure as Code
# Remove this section if your project doesn't use Terraform
- package-ecosystem: "terraform"
directory: "/" # Directory containing .tf files
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "infrastructure"
commit-message:
prefix: "chore(deps)"
include: "scope"

# Pub - Dart/Flutter projects
# Remove this section if your project doesn't use Dart/Flutter
- package-ecosystem: "pub"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "flutter"
- "dart"
commit-message:
prefix: "chore(deps)"
include: "scope"

# NuGet - .NET projects (C#, F#, VB.NET)
# Remove this section if your project doesn't use .NET
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "dotnet"
commit-message:
prefix: "chore(deps)"
include: "scope"
Comment on lines 22 to 262
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Aggregate PR volume can reach 70 with all ecosystems active — consider groups or multi-ecosystem-groups.

Each ecosystem independently caps at 5 open PRs, so a polyglot repository that actually uses all 14 ecosystems could accumulate up to 70 concurrent Dependabot PRs. Two mitigation strategies are worth noting in the customization guide:

  1. Per-ecosystem groups: Batch all updates for an ecosystem into a single PR (already GA).
  2. multi-ecosystem-groups (currently in beta): Dependabot's multi-ecosystem groups feature allows you to create groups that span multiple package ecosystems and get a single PR with updates across all supported ecosystems, instead of receiving separate PRs for each ecosystem.

Adding a brief mention of these options under the CUSTOMIZATION GUIDE section would help adopters proactively manage review load.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 23 - 241, The file currently enables
many package-ecosystem entries which can produce up to ~70 concurrent Dependabot
PRs; update the customization guide to recommend and show how to use
per-ecosystem "groups" and the beta "multi-ecosystem-groups" to batch updates
and reduce PR volume, and mention adjusting "open-pull-requests-limit" per
ecosystem; look for the package-ecosystem blocks and the
open-pull-requests-limit keys to add a short explanatory note describing when to
use "groups" vs "multi-ecosystem-groups" and what trade-offs to expect.

Loading