Add Dependabot configuration for pip and GitHub Actions#2041
Conversation
Enables automated dependency and security (CVE) update PRs for the pip test requirements and the GitHub Actions used in workflows. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| # Keeps dependencies up to date and automatically opens pull requests for | ||
| # security (CVE) and version updates. Security updates are always enabled for | ||
| # every ecosystem Dependabot can detect; the entries below also enable regular | ||
| # version updates so dependencies don't drift far enough to accumulate |
There was a problem hiding this comment.
The header comment states "Security updates are always enabled for every ecosystem Dependabot can detect," but this file only configures version updates. Dependabot security (CVE) updates require the separate toggle in repo Settings → Code security, as the PR description correctly notes. Consider softening this committed comment to match that caveat so a future maintainer doesn't assume CVE PRs are already flowing.
There was a problem hiding this comment.
Good catch - softened the header comment in 8d24d2c to make clear this file only configures version updates, and that CVE security updates require the separate Settings -> Code security toggle.
| open-pull-requests-limit: 10 | ||
| labels: | ||
| - "dependencies" | ||
| - "python" |
There was a problem hiding this comment.
The custom labels python and github-actions will be silently ignored by Dependabot if they don't already exist in the repo (only dependencies is auto-created). Either pre-create these labels or drop them to avoid a no-op.
There was a problem hiding this comment.
Dropped the custom 'python' and 'github-actions' labels in 8d24d2c, keeping only the auto-created 'dependencies' label to avoid the silent no-op.
|
Config looks sound and safe to merge. A couple of minor, non-blocking notes inline (misleading header comment about security updates, and custom labels that may need to be pre-created). |
heejaechang
left a comment
heejaechang
left a comment
There was a problem hiding this comment.
Approved via Review Center.
- Clarify header comment: this file enables version updates only; CVE security updates require the separate repo Settings toggle. - Drop custom 'python' and 'github-actions' labels that Dependabot would silently ignore; keep only the auto-created 'dependencies' label. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| open-pull-requests-limit: 10 | ||
| labels: | ||
| - "dependencies" | ||
| groups: |
There was a problem hiding this comment.
The patterns: ["*"] grouping collapses every dependency into one all-or-nothing grouped PR. Given the PR's stated CVE-remediation goal, a single breaking major bump (e.g. numpy, gevent, django) can wedge the entire group and delay a security-relevant bump (e.g. requests) swept into it. Consider carving high-risk majors out of the catch-all group, or rely on Dependabot's ungrouped security PRs once that setting is enabled. Not a blocker.
|
Config looks sound and safe to merge. One optional note about the catch-all grouping is worth considering, but it's non-blocking. |
heejaechang
left a comment
heejaechang
left a comment
There was a problem hiding this comment.
Approved via Review Center.
2 participants
Summary
Adds a
.github/dependabot.ymlto enable automated dependency and security (CVE) update pull requests.This addresses the recurring Component Governance / CVE alerts for the repository by letting Dependabot keep dependencies current and raise security update PRs automatically.
Ecosystems covered
pip/teststests/requirements.txt(django, flask, gevent, numpy, requests, etc.)github-actions/actions/checkout,github/codeql-action,actions/stale,actions/github-script)Notes
src/debugpy/_vendored/and the git components incgmanifest.json(pydevd, bytecode, winappdbg, scandir) are not managed by Dependabot and still require manual updates.