Skip to content

ci(security): add Dependabot groups for batched alert processing #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RBKunnela merged 1 commit into from
May 23, 2026
Merged

ci(security): add Dependabot groups for batched alert processing #41

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,29 @@ updates:
labels:
- "dependencies"
- "npm"
# Groups: batch alert waves so a solo operator can absorb them.
# Without grouping, a typical Monday wave is ~15-20 individual PRs per repo;
# grouped it's 3-5. Production patch/minor split keeps risk-tiers separate.
# Dev deps batched freely (no runtime exposure). Security updates split by
# severity so a critical CVE never gets bundled with a minor upgrade.
Comment on lines +35 to +36
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comment states that security updates are split by severity, but the configuration actually filters by update-types (patch vs. minor). Dependabot groups do not natively support a severity filter. A critical vulnerability and a low-severity vulnerability will be bundled together if they both result in the same update type (e.g., both are patches). The current configuration effectively isolates major updates by not including them in any group.

    # Dev deps batched freely (no runtime exposure). Security updates split by
    # update-types to keep PR volume manageable while isolating major updates.

groups:
npm-patch-prod:
applies-to: version-updates
update-types: ["patch"]
dependency-type: "production"
npm-minor-prod:
applies-to: version-updates
update-types: ["minor"]
dependency-type: "production"
npm-dev-deps:
applies-to: version-updates
dependency-type: "development"
npm-security-patch:
applies-to: security-updates
update-types: ["patch"]
npm-security-minor:
applies-to: security-updates
update-types: ["minor"]
Comment on lines +49 to +54
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

These security groups do not specify a dependency-type. Consequently, security updates for both production and development dependencies will be bundled together. This contradicts the goal stated on lines 34-35 to keep "risk-tiers separate" and ensure dev dependencies have "no runtime exposure". To maintain this isolation for security updates, consider adding dependency-type: "production" to these groups.

      npm-security-patch:
        applies-to: security-updates
        update-types: ["patch"]
        dependency-type: "production"
      npm-security-minor:
        applies-to: security-updates
        update-types: ["minor"]
        dependency-type: "production"


# ---------- GitHub Actions ecosystem ----------
- package-ecosystem: "github-actions"
Expand Down Expand Up @@ -69,3 +92,21 @@ updates:
labels:
- "dependencies"
- "python"
# Groups: parallel batching to the npm block above. uv does not expose
# the `dependency-type: production|development` axis the same way npm
# does (uv uses dependency-groups in pyproject.toml), so groups are
# split by update-types alone. Security updates split by severity to
# keep critical CVEs unbundled.
Comment on lines +98 to +99
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the npm section, the comment claims to split by severity, but the implementation uses update-types. Since Dependabot does not support severity-based grouping, this description is inaccurate. A critical CVE will still be bundled with other updates if it falls under the 'patch' or 'minor' update types.

    # split by update-types alone. Security updates split by update-types to
    # keep PR volume manageable while isolating major updates.

groups:
uv-patch:
applies-to: version-updates
update-types: ["patch"]
uv-minor:
applies-to: version-updates
update-types: ["minor"]
uv-security-patch:
applies-to: security-updates
update-types: ["patch"]
uv-security-minor:
applies-to: security-updates
update-types: ["minor"]
Loading