chore: Add Dependabot version-update cooldown#1746
chore: Add Dependabot version-update cooldown#1746ld-repository-standards[bot] wants to merge 3 commits into
Conversation
|
@launchdarkly/js-sdk-common size report |
|
@launchdarkly/js-client-sdk size report |
|
@launchdarkly/js-client-sdk-common size report |
|
@launchdarkly/browser size report |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
Duplicate npm Dependabot coverage
Medium Severity
The file registers npm version updates at the repo root and again for each Yarn workspace package.json. For this monorepo, a root npm entry already scans every workspace listed in the root package.json, so the per-package entries largely repeat the same scope and can produce overlapping Dependabot PRs for the same dependency.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit f629fdc. Configure here.
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
Renovate and Dependabot overlap
Medium Severity
This commit adds a github-actions Dependabot entry while renovate.json still extends the recommended preset and keeps GitHub Actions updates enabled (only npm is disabled). If Renovate remains installed on the repo, both bots can propose the same workflow action bumps.
Reviewed by Cursor Bugbot for commit f629fdc. Configure here.
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
Dependabot path missing package
Low Severity
The npm update entry points at /packages/sdk/react/examples/testing, but that directory is not in the repo and has no package.json. Dependabot cannot run version updates for that block, so the job fails or shows a persistent configuration error while other entries keep working.
Reviewed by Cursor Bugbot for commit 5698b08. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
There are 4 total unresolved issues (including 3 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 85dd644. Configure here.
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
Dependabot paths lack manifests
Medium Severity
Three new npm update blocks target directories that have no package.json in this repo (node-client/contract-tests, node-client/examples/hello-node-client, and react/examples/testing). Dependabot will raise dependency_file_not_found for those jobs and never produce version-update PRs there.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 85dd644. Configure here.
1 participant
This pull request was auto generated by the LaunchDarkly Github Standards automation platform.
updatesin.github/dependabot.ymldeclares a cooldown of at least 7 days (default-days).Cooldown applies only to version updates; security updates bypass it, so critical CVE fixes are never delayed.
Ref: SEC-8058.
Note
Low Risk
CI-only configuration with no runtime code changes; only affects how and when Dependabot opens update PRs.
Overview
Introduces
.github/dependabot.ymlto automate dependency maintenance across the monorepo.Every
updatesentry uses a weekly schedule and acooldown.default-days: 7so routine version bumps are spaced out; security updates are not subject to cooldown (per Dependabot behavior). Coverage includes GitHub Actions at the repo root and npm for the root plus many package, example, and contract-test directories that were previously untracked.Reviewed by Cursor Bugbot for commit 85dd644. Bugbot is set up for automated code reviews on this repo. Configure here.