From 53a3389ed114c699c116d3fb72e056e8cbaf3ebc Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Tue, 10 Dec 2024 10:28:30 +0100 Subject: [PATCH] github: only group patch upgrades The idea behind minor-and-patch was to group all uninteresting upgrades together. Indeed, with SemVer, patch and minor upgrades are not supposed to include API breaks, and grouping these together should be a good idea in theory as explained in the GitHub docs [1]. However, in practice this doesn't seem to work well. First, some packages are at version 0.x.y, and minor upgrades often contain breaking changes. Unfortunately there's no way to ask dependabot to not group these unstable dependencies. Another issue is that some minor upgrades do contain some breaking changes (e.g. typescript). Fix these issues by only grouping patch updates, which shoudl still keep the number of PRs to a reasonable number and not include any breaking upgrade. While at it, move the group to the end of the list so that it's only used if none of the other groups match the package which need updating. Indeed, dependabot picks the first group which matches the package [2]. [1]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#grouping-dependabot-updates-into-one-pull-request [2]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups Signed-off-by: Simon Ser --- .github/dependabot.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4072d9a5b55..c651cc5d501 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -33,10 +33,6 @@ updates: schedule: interval: "weekly" groups: - minor-and-patch: - update-types: - - "minor" - - "patch" nivo: patterns: - "@nivo/*" @@ -50,6 +46,9 @@ updates: patterns: - "vitest" - "@vitest/*" + patch: + update-types: + - "patch" commit-message: prefix: "front:" open-pull-requests-limit: 100