Skip to content

ci(dependabot): SMI-4669 expand npm groups + add docker ecosystem#897

Merged
wrsmith108 merged 3 commits into
mainfrom
smi-4669-dependabot-grouping
May 3, 2026
Merged

ci(dependabot): SMI-4669 expand npm groups + add docker ecosystem#897
wrsmith108 merged 3 commits into
mainfrom
smi-4669-dependabot-grouping

Conversation

@wrsmith108
Copy link
Copy Markdown
Member

@wrsmith108 wrsmith108 commented May 3, 2026
edited
Loading

[skip-impl-check]

Summary

  • Adds 10 ecosystem groups under the npm block in .github/dependabot.yml (aws-sdk, hono, astro, vercel, smithy, supabase, octokit, opentelemetry, vitest, types). Each mirrors the existing typescript-eslint group with update-types: [minor, patch] so major bumps still surface individually for human review.
  • Adds a package-ecosystem: 'docker' block on monthly cadence so base-image CVEs (currently node:22-slim per Dockerfile:20) surface as targeted PRs instead of accumulating silently between manual rebuilds.

Why

Currently 10+ open chore(deps) PRs route to a single named reviewer (ryansmith108). Each unbatched PR is a coin-toss against fatigue, which is a rubberstamp risk against the supply-chain hardening posture established in SMI-3864/3985 (Wave 1) and SMI-4651 (vendor trust tier). Open PRs #841/842/844/845 specifically (@octokit/*, @opentelemetry/*) would have batched into 2 PRs instead of 4.

Linear

  • Parent: SMI-4666 (Dependabot CI Hardening Phase 2 umbrella)
  • This wave: SMI-4669

Test plan

  • python3 -c "import yaml; yaml.safe_load(open('.github/dependabot.yml'))" → 3 ecosystems, 11 npm groups, valid
  • docker exec skillsmith-dev-1 npm run audit:standards → 51 pass, 6 warnings, 0 fail (89% compliance, unchanged from baseline)
  • Pre-commit hooks (typecheck + lint-staged) passed
  • Pre-push hooks (format + tests) passed
  • Post-merge: watch next Monday Dependabot run for batched PRs (e.g., one chore(deps): bump @aws-sdk/* group instead of N individuals)
  • Post-merge: watch first month for docker base-image PR

[skip-smoke] dependabot.yml is data-only; structural verification is via the Dependabot UI after merge, not via runtime smoke surfaces.

🤖 Generated with Ruflo

Co-Authored-By: Claude noreply@anthropic.com

@wrsmith108
ci(dependabot): SMI-4669 expand npm groups + add docker ecosystem
c7d2e22 
Adds 10 ecosystem groups under the npm block, mirroring the existing
typescript-eslint group's update-types: [minor, patch] pattern (major
bumps still surface individually for human review):

- aws-sdk    (@aws-sdk/*)
- hono       (@hono/*, hono)
- astro      (astro, @astrojs/*)
- vercel     (@vercel/*, vercel)
- smithy     (@smithy/*)
- supabase   (@supabase/*)
- octokit    (@octokit/*, octokit)
- opentelemetry (@opentelemetry/*)
- vitest     (vitest, @vitest/*)
- types      (@types/*)

Open Dependabot PRs #841, #842, #844, #845 (@octokit/*, @opentelemetry/*)
specifically would have batched into 2 PRs instead of 4 with these groups.

Adds package-ecosystem: 'docker' block on monthly cadence, mirroring the
github-actions block shape. Surfaces base-image CVEs (currently
node:22-slim per Dockerfile:20) as targeted PRs instead of accumulating
silently between manual rebuilds.

Reviewer-fatigue rationale: every Dependabot PR routes to a single named
reviewer (ryansmith108). Batching reduces PR count → reduces rubberstamp
risk on the supply-chain hardening posture established in SMI-3864/3985
(Wave 1) and SMI-4651 (vendor trust tier).

Verification:
- python yaml.safe_load → 3 ecosystem blocks, 11 npm groups, valid
- docker exec skillsmith-dev-1 npm run audit:standards → 51 pass,
  6 warnings, 0 fail (89% compliance, unchanged)
- dependabot.yml is data-only; structural verification via GitHub UI
  after merge will confirm batched PRs land on next Monday run.

Refs: SMI-4666 SMI-4669
@vercel
Copy link
Copy Markdown

vercel Bot commented May 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
website Ready Ready Preview, Comment May 3, 2026 7:24am

Request Review

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

E2E Test Results

E2E Test Results - May 3, 2026

Summary

  • Status: ✅ PASSED
  • Total Duration: 0.00s
  • Generated: 2026-05-03T05:09:42.128Z

Test Results

Phase Status Duration
CLI E2E ⏭️ Skipped -
MCP E2E ⏭️ Skipped -

Generated by skillsmith E2E test suite

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

E2E Test Results

E2E Test Results - May 3, 2026

Summary

  • Status: ✅ PASSED
  • Total Duration: 0.00s
  • Generated: 2026-05-03T07:19:30.942Z

Test Results

Phase Status Duration
CLI E2E ⏭️ Skipped -
MCP E2E ⏭️ Skipped -

Generated by skillsmith E2E test suite

@wrsmith108 wrsmith108 mentioned this pull request May 3, 2026
Merged
7 tasks
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

E2E Test Results

E2E Test Results - May 3, 2026

Summary

  • Status: ✅ PASSED
  • Total Duration: 0.00s
  • Generated: 2026-05-03T07:37:10.471Z

Test Results

Phase Status Duration
CLI E2E ⏭️ Skipped -
MCP E2E ⏭️ Skipped -

Generated by skillsmith E2E test suite

@wrsmith108 wrsmith108 merged commit bd42c5b into main May 3, 2026
34 checks passed
@wrsmith108 wrsmith108 deleted the smi-4669-dependabot-grouping branch May 4, 2026 22:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wrsmith108