chore(deps): add dependabot config for pnpm and github-actions ecosystems#1378
Conversation
Adds dependabot.yml to keep npm production dependencies and GitHub Actions up to date on a daily schedule with 7-day cooldown. PRs target the dependency-updates branch.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a GitHub Dependabot configuration (.github/dependabot.yml) to automate updates for npm and github-actions dependencies. The review feedback points out that the cooldown option is invalid in Dependabot's schema and will cause validation failures. Additionally, because this workspace uses pnpm catalogs, which Dependabot does not currently support, the reviewer advises that Dependabot may fail to update cataloged dependencies correctly and suggests considering Renovate as an alternative.
| schedule: | ||
| interval: 'daily' | ||
| cooldown: | ||
| default-days: 7 | ||
| semver-major-days: 7 | ||
| semver-minor-days: 7 | ||
| semver-patch-days: 7 | ||
| labels: | ||
| - 'dependencies' |
There was a problem hiding this comment.
The cooldown option is not a valid configuration option in GitHub Dependabot's schema. Including it will cause a schema validation error, and Dependabot will fail to run entirely. Please remove this block.
schedule:
interval: 'daily'
labels:
- 'dependencies'There was a problem hiding this comment.
I have run in to this before - the gemini training cutoff is from before cooldown existed and the PR review bot doesn't have a web fetch tool to ingest more up to date documentation
The cooldown YAML bits here are definitely valid
| - package-ecosystem: 'npm' | ||
| directory: '/' | ||
| allow: | ||
| - dependency-type: 'production' |
There was a problem hiding this comment.
This repository uses pnpm catalogs (configured in pnpm-workspace.yaml) to manage shared dependency versions. Please note that GitHub Dependabot does not currently support pnpm catalogs. As a result, Dependabot may fail to update cataloged dependencies or could create pull requests that bypass the catalog. You may need to manually manage these updates or consider using a tool like Renovate, which has native support for pnpm catalogs.
There was a problem hiding this comment.
This is no longer true apparently: https://github.blog/changelog/2025-02-04-dependabot-now-supports-pnpm-workspace-catalogs-ga/
Confirmed that 'npm' is the valid ecosystem to use, if you have 'pnpm' (vs it being more specific or something): https://github.blog/changelog/2025-02-04-dependabot-now-supports-pnpm-workspace-catalogs-ga/
Good to go
mikehardy
left a comment
mikehardy
left a comment
There was a problem hiding this comment.
To the best of my knowledge, with pnpm in a monorepo setup, and dependabot supporting pnpm, this should correctly handle update of all dependencies in all of the monorepo packages
mikehardy
changed the title
2 participants
Adds dependabot.yml to keep dependencies and GitHub Actions up to date on a daily schedule with 7-day cooldown.