chore: disable Dependabot version updates, keep security updates#60
Merged
chore: disable Dependabot version updates, keep security updates#60
Conversation
Set `open-pull-requests-limit: 0` on all three ecosystems to stop opening routine version-update PRs. Security-update PRs (from the GitHub Advisory Database) continue to fire independently of this config and are unaffected. Rationale: the first version-update cycle opened 13 PRs, including ones that would require fresh benchmarking (e.g. pyo3) or other non-trivial validation. We prefer to pull in version bumps on demand, while still being alerted to actual CVEs. The `cooldown` blocks are retained so the 7/14-day policy remains in place if version updates are ever re-enabled. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Disable Dependabot version-update PRs on all three ecosystems by setting
open-pull-requests-limit: 0. Security-update PRs (from the GitHub Advisory Database) are not affected by this config and continue to fire independently.Why
The first version-update cycle after enabling Dependabot opened 13 PRs, including bumps (e.g.
pyo3) that require fresh benchmarking or other non-trivial validation we're not ready to absorb piecemeal. Preferring to pull version bumps on demand, while still being alerted to actual CVEs.What stays in place
cooldownblocks are retained. If we re-enable version updates later (by removingopen-pull-requests-limit: 0), the 7/14-day policy is already there.Follow-up (out of scope)
Close the 13 open version-update PRs with
@dependabot close. Scripted batch-close after this merges.Test plan
🤖 Generated with Claude Code