From d114e49a09b80e3cedb0cff54ed8890a914cff00 Mon Sep 17 00:00:00 2001 From: Rich Chiodo false Date: Wed, 24 Jun 2026 10:19:14 -0700 Subject: [PATCH 1/2] Add Dependabot configuration for pip and GitHub Actions Enables automated dependency and security (CVE) update PRs for the pip test requirements and the GitHub Actions used in workflows. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..0c71c943 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,38 @@ +# Dependabot configuration for debugpy. +# +# Keeps dependencies up to date and automatically opens pull requests for +# security (CVE) and version updates. Security updates are always enabled for +# every ecosystem Dependabot can detect; the entries below also enable regular +# version updates so dependencies don't drift far enough to accumulate +# vulnerabilities in the first place. +# +# Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 +updates: + # Python packages used to run and exercise the test suite. + - package-ecosystem: "pip" + directory: "/tests" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "python" + groups: + python-test-dependencies: + patterns: + - "*" + + # GitHub Actions used by the workflows in .github/workflows. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "github-actions" + groups: + github-actions: + patterns: + - "*" From 8d24d2cff0017c9eb12d5ec51f6508f29542e09a Mon Sep 17 00:00:00 2001 From: Rich Chiodo false Date: Wed, 24 Jun 2026 10:29:47 -0700 Subject: [PATCH 2/2] Address review feedback on dependabot config - Clarify header comment: this file enables version updates only; CVE security updates require the separate repo Settings toggle. - Drop custom 'python' and 'github-actions' labels that Dependabot would silently ignore; keep only the auto-created 'dependencies' label. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0c71c943..b5b1e8b0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,14 @@ # Dependabot configuration for debugpy. # -# Keeps dependencies up to date and automatically opens pull requests for -# security (CVE) and version updates. Security updates are always enabled for -# every ecosystem Dependabot can detect; the entries below also enable regular -# version updates so dependencies don't drift far enough to accumulate +# This file configures version updates: Dependabot opens pull requests to keep +# dependencies current so they don't drift far enough to accumulate # vulnerabilities in the first place. # +# NOTE: Security (CVE) updates are NOT enabled by this file. They require the +# separate "Dependabot security updates" toggle in repo Settings -> Code +# security. Keeping dependencies current here reduces the surface area for +# those alerts. +# # Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file version: 2 updates: @@ -17,7 +20,6 @@ updates: open-pull-requests-limit: 10 labels: - "dependencies" - - "python" groups: python-test-dependencies: patterns: @@ -31,7 +33,6 @@ updates: open-pull-requests-limit: 10 labels: - "dependencies" - - "github-actions" groups: github-actions: patterns: