Skip to content

chore(dependabot): only open PRs that fix security alerts#42

Closed
Alexander Kolomiytsev (AlexKolomiytsev) wants to merge 1 commit into
mainfrom
chore/dependabot-security-only
Closed

chore(dependabot): only open PRs that fix security alerts#42
Alexander Kolomiytsev (AlexKolomiytsev) wants to merge 1 commit into
mainfrom
chore/dependabot-security-only

Conversation

@AlexKolomiytsev

@AlexKolomiytsev Alexander Kolomiytsev (AlexKolomiytsev) commented May 27, 2026

Copy link
Copy Markdown
Contributor

What

Set open-pull-requests-limit: 0 on the package-manager & github-actions ecosystems in .github/dependabot.yml so Dependabot only opens PRs that fix an open security alert for them.

Why

Routine version-update PRs (e.g. type-only/transitive bumps) create review & merge overhead with no security value. This turns those off while keeping Dependabot security updates, which run on a separate internal limit and are enabled for this repo (automated-security-fixes: enabled).

Effect

  • npm / gradle / swift / github-actions — version-update PRs off; security-update PRs still open automatically.
  • docker / helm (where present) — left unchanged: they keep receiving version-update PRs (Dependabot has no security updates for these ecosystems, so disabling them would stop updates entirely).

Fleet-wide change mirroring egym/mwa-bma-features#1995.

@AlexKolomiytsev

Copy link
Copy Markdown
Contributor Author

Closing — with the final scope (Dependabot security-only limited to npm / gradle / swift), this repo has no applicable ecosystem (only github-actions/docker/helm, which we're keeping enabled), so there's nothing to change here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants