From ffecf02a6aec39e129ffa417f2d91186beba3849 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 15:41:02 -0700 Subject: [PATCH 1/3] chore(dependabot): add npm/pip ecosystems and group updates The existing dependabot.yml only declared the devcontainers and github-actions ecosystems, leaving npm and pip completely unmanaged. All open security alerts in this repo (currently 9, all under typescript/package-lock.json) target ecosystems Dependabot wasn't watching, so no update PRs have ever been opened for them. This change: * Adds npm coverage for /typescript, /typescript/examples/*, and /site * Adds pip coverage for /python (pyproject.toml) * Adds grouping rules across all ecosystems so multiple alerts in a given run collapse into a single PR (separately for routine version updates vs security-advisory-triggered updates, so security PRs can be prioritised on their own). Major-version bumps continue to open one PR per package so reviewers have a chance to evaluate them individually. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 50 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 97720e79..fb125f62 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,11 +6,61 @@ version: 2 updates: + # npm — typescript library + examples + docs site. + # All security alerts in this repo to date have been against + # typescript/package-lock.json, which previously had no ecosystem entry + # here, so Dependabot never opened any update PRs for them. + - package-ecosystem: "npm" + directories: + - "/typescript" + - "/typescript/examples/*" + - "/site" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" + groups: + npm-production: + dependency-type: "production" + update-types: ["minor", "patch"] + npm-development: + dependency-type: "development" + update-types: ["minor", "patch"] + npm-security: + applies-to: security-updates + patterns: ["*"] + + - package-ecosystem: "pip" + directory: "/python" + schedule: + interval: "weekly" + day: "monday" + labels: + - "dependencies" + groups: + pip-all: + patterns: ["*"] + update-types: ["minor", "patch"] + pip-security: + applies-to: security-updates + patterns: ["*"] + - package-ecosystem: "devcontainers" directory: "/" schedule: interval: weekly + groups: + devcontainers: + patterns: ["*"] + - package-ecosystem: "github-actions" directory: "/" schedule: interval: weekly + groups: + github-actions: + patterns: ["*"] + github-actions-security: + applies-to: security-updates + patterns: ["*"] From a14a6832227a2be49a909d1b5f73339e84437060 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 20:18:41 -0700 Subject: [PATCH 2/3] chore(dependabot): constrain all security & catch-all groups to minor/patch Same fix applied to microsoft/typechat.net#319: groups without update-types collapse major-version bumps into the grouped PR, which defeats the goal of keeping majors as one-PR-per-package for breaking-change review. Constrains npm-security, pip-security, devcontainers, github-actions, and github-actions-security groups to [minor, patch]. The npm-production, npm-development, and pip-all groups were already correctly constrained. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fb125f62..1926b7d7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,6 +20,9 @@ updates: day: "monday" labels: - "dependencies" + # Group routine minor/patch bumps; security updates grouped separately + # so they can be prioritised. Major-version bumps fall through as + # one-PR-per-package so they can be reviewed for breaking changes. groups: npm-production: dependency-type: "production" @@ -30,6 +33,7 @@ updates: npm-security: applies-to: security-updates patterns: ["*"] + update-types: ["minor", "patch"] - package-ecosystem: "pip" directory: "/python" @@ -45,6 +49,7 @@ updates: pip-security: applies-to: security-updates patterns: ["*"] + update-types: ["minor", "patch"] - package-ecosystem: "devcontainers" directory: "/" @@ -53,6 +58,7 @@ updates: groups: devcontainers: patterns: ["*"] + update-types: ["minor", "patch"] - package-ecosystem: "github-actions" directory: "/" @@ -61,6 +67,8 @@ updates: groups: github-actions: patterns: ["*"] + update-types: ["minor", "patch"] github-actions-security: applies-to: security-updates patterns: ["*"] + update-types: ["minor", "patch"] From 1b66d3b7e0c6ef7ea1e956a1c98969174f36b2c1 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 21:14:24 -0700 Subject: [PATCH 3/3] chore(dependabot): tighten header comment --- .github/dependabot.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1926b7d7..f795def7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,8 +1,11 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for more information: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates -# https://containers.dev/guide/dependabot +# Dependabot configuration for microsoft/TypeChat. +# +# Per ecosystem: routine minor/patch updates are grouped into a single +# weekly PR; security updates ship as their own grouped PR; major-version +# bumps fall through ungrouped (one PR per package) for breaking-change +# review. +# +# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates version: 2 updates: