From 14e1d1f397207fc99373d83adea59b99373c8cc0 Mon Sep 17 00:00:00 2001 From: Oleksii Dolhov Date: Thu, 25 Jun 2026 11:47:55 +0300 Subject: [PATCH] docs(dependabot): clarify that security updates always target main (#1341) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The config already sets `target-branch: dev` on every ecosystem (live on main since v0.6.1), so version-update PRs correctly flow to dev. The remaining symptom in #1341 — Dependabot *security* PRs (#1298 form-data, #1324 vite) opening against `main` — is GitHub's by-design routing: security updates ignore `target-branch` and always target the default branch, and closing them triggers a recreate loop. Spell that out in the config comment with what to do instead (merge to main as a security fix; reaches dev on the next back-merge, or cherry-pick if urgent), so this isn't re-filed as a config bug. No behavioral change — comment only. Related to #1341 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c071336a..a215fc0e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,8 +1,15 @@ version: 2 # All version-update PRs target `dev` per the SDLC (feature → dev → main). # Note: Dependabot reads this file from the DEFAULT branch (main), so changes -# here only take effect after a release cut. Security updates ignore -# target-branch and still go to main by GitHub design. +# here only take effect after a release cut. +# +# SECURITY updates ignore `target-branch` and ALWAYS open against the default +# branch (main) by GitHub design — `target-branch: dev` cannot redirect them, +# and closing such a PR just makes Dependabot recreate it against main. So a +# Dependabot *security* PR against `main` is EXPECTED, not a config misroute +# (see #1341): let it merge to main as a security fix and it reaches dev on the +# next release back-merge, or cherry-pick the bump into a dev PR if urgent. +# Only *version* updates honor the per-entry `target-branch: dev` below. updates: # GitHub Actions: catch new SHAs for already-pinned third-party actions and # flag CVEs in first-party actions. Weekly cadence — security PRs from