chore(ci): disable routine Dependabot version updates, keep security-only#133
Merged
Conversation
…only Routine scheduled version bumps create excessive PR/notification noise and are unnecessary for a docs site. Removing .github/dependabot.yml stops all scheduled version updates. Dependabot security updates remain enabled at the repo level, so CVE / supply-chain fixes are still opened automatically when a real vulnerability is found.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概述(中文)
关掉 Dependabot 的定期版本更新,只保留安全更新。
合并前一个 PR 后,Dependabot 一次性开了 8 个例行升级 PR,造成通知轰炸。对一个文档站点来说,这种例行升级既没必要、又太频繁。除非是 CVE 或上游投毒,依赖不需要主动追新。
做法:删除
.github/dependabot.yml,定期版本更新全部停止。仓库的「Dependabot 安全更新」仍然开启(已确认automated-security-fixes.enabled = true),所以一旦出现真实漏洞,修复 PR 还是会自动开——该收的安全更新不漏,例行噪音不再有。合并后不会再触发任何版本升级 PR。
Summary (English)
Turns off Dependabot's routine version updates and keeps only security updates.
After the previous merge, Dependabot opened 8 routine bump PRs at once — a notification flood. For a docs site, routine upgrades are both unnecessary and too frequent; dependencies don't need proactive chasing unless there's a CVE or a supply-chain compromise.
Change: delete
.github/dependabot.yml, which stops all scheduled version updates. The repo-level "Dependabot security updates" stays enabled (confirmedautomated-security-fixes.enabled = true), so a fix PR is still opened automatically when a real vulnerability appears — security coverage intact, routine noise gone.Merging this opens no further upgrade PRs.
Scope
Verification
vulnerability-alerts204,automated-security-fixes.enabled=true)