ci(security): add Dependabot groups for batched alert processing

[RBKunnela]

Why

Mon 2026-05-25 06:00 UTC Dependabot wave: ~50 individual PRs expected across the 3 paybot repos. Solo-founder bandwidth cannot absorb. Groups: block batches into ~12-15 PRs.

paybot-sdk currently shows 6 open vulnerabilities (3 high, 3 moderate) on default branch — all will surface as PRs Monday morning. Without grouping, that's 6 separate PRs from this repo alone, on top of weekly version-updates.

What

Adds groups: block per @devops 3-week absorption runbook (handoff-2026-05-22-paybot-gtm-multi-track.md):

npm ecosystem (5 groups):

• npm-patch-prod — version-updates, patch, production
• npm-minor-prod — version-updates, minor, production
• npm-dev-deps — version-updates, development (all update-types)
• npm-security-patch — security-updates, patch
• npm-security-minor — security-updates, minor

uv ecosystem at /packages/python (4 groups):

• uv-patch / uv-minor — version-updates
• uv-security-patch / uv-security-minor — security-updates

uv lacks npm's dependency-type: production|development axis (uv uses pyproject dependency-groups), so the uv block splits by update-type alone. Security severity split preserved.

Authority

• Per automated-pr-merge-authority.md: requires @qa lightweight (CI green + YAML validity + groups schema correct) + @devops merge.
• DO NOT MERGE before @qa PASS. Orion routes to @qa.
• Pattern: scanner-bundle PRs (paybot-core 🤝 Founding Contributors — Join the open agent payment protocol #3 @ 6dc6f5aa, paybot-sdk ci(security): add CodeQL, Dependabot, and OSV-Scanner bundle #11 @ 2513676, paybot-mcp docs: PayBot liability management improvements from community feedback #1 @ a6c211db).

Deadline

Must merge before Mon 2026-05-25 06:00 UTC (Dependabot daily run).

YAML validation

Local python -c "import yaml; yaml.safe_load(...)" passes. All 3 ecosystems parse cleanly; group keys verified.

Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com

Summary by CodeRabbit

• Chores
  • Updated dependency update configuration to organize updates into logical grouping batches. Production, development, and security updates are now processed separately for improved pull request organization and review efficiency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6c7f5072-dc22-4555-a050-2d54b78ad1fc

📥 Commits

Reviewing files that changed from the base of the PR and between 5dff725 and 0f3aec1.

📒 Files selected for processing (1)

• .github/dependabot.yml

---

Walkthrough

Updated .github/dependabot.yml to configure Dependabot grouping rules for npm and Python ecosystems. Production and development dependencies are batched separately, security updates are split by severity (patch vs. minor), and Python dependencies use type-based grouping consistent with uv's dependency model.

Changes

Dependabot Update Groups

Layer / File(s)	Summary
npm and Python dependency group rules .github/dependabot.yml	npm ecosystem groups production patch/minor updates separately from dev deps and security updates (patch and minor split). uv (Python) ecosystem adds analogous groups for patch/minor version updates and patch/minor security updates with type-aware batching.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• RBKunnela/paybot-sdk#11: Establishes initial Dependabot configuration; this PR refines its update grouping strategy across npm and Python ecosystems.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding Dependabot groups configuration for batching security and version update PRs, which is the core intent of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/dependabot-groups

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces grouping for Dependabot updates in the npm and Python (uv) ecosystems to batch patch and minor updates, aiming to reduce PR volume. Feedback indicates that the comments regarding security updates being split by severity are inaccurate as Dependabot only supports grouping by update type. Furthermore, the npm security groups should explicitly specify the production dependency type to ensure consistent isolation between production and development risk tiers.

[gemini-code-assist]

The comment states that security updates are split by severity, but the configuration actually filters by update-types (patch vs. minor). Dependabot groups do not natively support a severity filter. A critical vulnerability and a low-severity vulnerability will be bundled together if they both result in the same update type (e.g., both are patches). The current configuration effectively isolates major updates by not including them in any group.

    # Dev deps batched freely (no runtime exposure). Security updates split by
    # update-types to keep PR volume manageable while isolating major updates.

[gemini-code-assist]

These security groups do not specify a dependency-type. Consequently, security updates for both production and development dependencies will be bundled together. This contradicts the goal stated on lines 34-35 to keep "risk-tiers separate" and ensure dev dependencies have "no runtime exposure". To maintain this isolation for security updates, consider adding dependency-type: "production" to these groups.

      npm-security-patch:
        applies-to: security-updates
        update-types: ["patch"]
        dependency-type: "production"
      npm-security-minor:
        applies-to: security-updates
        update-types: ["minor"]
        dependency-type: "production"

[gemini-code-assist]

Similar to the npm section, the comment claims to split by severity, but the implementation uses update-types. Since Dependabot does not support severity-based grouping, this description is inaccurate. A critical CVE will still be bundled with other updates if it falls under the 'patch' or 'minor' update types.

    # split by update-types alone. Security updates split by update-types to
    # keep PR volume manageable while isolating major updates.