[DX-1017] Update Dependabot config to reduce PR bloat / noise

[sacOO7]

• Fixes https://ably.atlassian.net/browse/DX-1017
• Core CLI package (/): runs weekly— This is the npm published product and gets the highest scrutiny
• Sub-packages (react-web-cli, examples/web-cli): run monthly — they are not the core product, not published independently, and have only ~20-24 dependencies each; monthly reduces CI load from 52 to 12 runs/year per sub-package

Summary

Rewrites the Dependabot configuration following industry best practices to address the current problem of ~30 open Dependabot PRs creating review fatigue, wasting CI resources, and burying actual dependency updates in noise.

Problem

Issue	Impact
Major versions excluded from groups	19 individual major-bump PRs
GitHub Actions have no grouping	5 individual PRs
Sub-packages on weekly schedule (same as root)	Duplicate PRs for same dependencies, lockfile conflicts
No ignore rules for infeasible migrations	Stale PRs consuming PR limit slots and CI on every rebase
No supply-chain protection	Newly published (potentially malicious) versions picked up immediately

Changes Introduced

1. Three-tier grouping for root package (/)

Instead of grouping only minor/patch (leaving every major as an individual PR), we now use a tiered strategy adopted by Fastify, SPS Commerce (4000+ repos), and others:

Tier	Group	What it contains	Review approach
1	dev-minor-patch	Dev dependency minor + patch updates	Low-risk, backwards-compatible
1	prod-minor-patch	Prod dependency minor + patch updates	Low-risk, backwards-compatible
2	dev-major	Dev dependency major updates (linters, test frameworks, bundlers)	Review as a batch — breaking changes only affect dev workflow, not CLI users
3	(no group)	Prod dependency major updates	Individual PRs for maximum visibility on breaking changes to CLI end users

Why not group all majors together? A single broken major blocks the entire grouped PR, holding safe minor/patch updates hostage. This is the most common complaint from teams that tried grouping everything (ref).

2. Ignore rules for infeasible major migrations

These PRs sit open for weeks, waste CI on every rebase, and won't be merged until the team plans the migration:

Dependency	Migration	Why ignored
zod	v3 → v4	New validation paradigm, breaking API changes
inquirer	v9 → v13	Complete API rewrite
typescript	v5 → v6	Major compiler changes

Action item: Revisit these quarterly. Remove the ignore rule when the team is ready to migrate.

3. Cooldown for newly published versions

Defers PRs for recently published package versions. Security updates bypass cooldown entirely.

Semver type	Cooldown	Reasoning
Major	7 days	Major releases often get immediate hotfix follow-ups
Minor	3 days	Catches most regressions and supply-chain attacks
Patch	3 days	Same — malicious versions are usually caught within days

Industry precedent: Node.js uses 5-day cooldown across the board. GitHub officially recommends cooldown as a supply-chain defense.

4. Monthly schedule for sub-packages

/packages/react-web-cli and /examples/web-cli moved from weekly to monthly:

• These are not the core CLI product (~20-24 dependencies each)
• Not published independently
• Weekly updates created unnecessary CI load and lockfile conflicts
• Single wildcard group (patterns: ["*"]) collapses all updates into one PR

Industry precedent: Node.js uses different frequencies per directory. Grafana uses monthly for non-core packages.

5. GitHub Actions wildcard grouping

All GitHub Actions updates now land in a single grouped PR instead of 5 individual ones. No reason to review actions/setup-node separately from actions/upload-artifact.

Industry precedent: TypeScript and Node.js both use patterns: ["*"] for GitHub Actions.

6. Labels for filtering and automation

Ecosystem	Labels
Root npm	dependencies
React Web CLI	dependencies, react-web-cli
Examples	dependencies, examples
GitHub Actions	dependencies, github-actions

Enables GitHub UI filtering, notification routing, and automation rules.

7. Conventional commit prefixes

• Production deps: fix(deps): ...
• Dev deps: chore(dev-deps): ...

If semantic release is ever adopted, prod dependency updates automatically trigger patch releases while dev updates do not. Used by Fastify and Grafana.

8. Pinned schedule

All weekly ecosystems run on Monday 09:00 UTC — predictable batch-review window instead of surprise PRs on random days.

Expected Impact

Metric	Before	After
Open PRs at any time	~30	~5-8
CI runs/week from Dependabot	30+	~5-7
PRs needing human review	30	3-5 (dev-major group + individual prod majors)
Sub-package PR frequency	Weekly (noisy)	Monthly (batched)
GitHub Actions PRs	5 individual	1 grouped
Supply-chain protection	None	3-7 day cooldown on new versions

Follow-up Actions

• Create GitHub labels: dependencies, react-web-cli, examples, github-actions (if they don't exist)
• Close existing ~30 open Dependabot PRs — they'll be recreated with new grouping on the next scheduled run
• Verify on the following Monday that PRs arrive grouped as expected
• Set a quarterly calendar reminder to review the ignore rules (zod, inquirer, typescript)

Industry References

• Fastify — tiered grouping with separate dependencies-major group
• Node.js — wildcard grouping for sub-directories, cooldown, different frequencies per directory
• Grafana — monthly for non-core, conventional commit prefixes
• SPS Commerce (4000+ repos) — enterprise-scale Dependabot management
• GitHub Docs — official optimization guide

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Apr 2, 2026 8:53am

[claude-code-ably-assistant]

Review Summary

This PR only changes .github/dependabot.yml. No CLI source, tests, or build config are affected — the standard oclif/TypeScript checklist does not apply. Review is scoped to Dependabot config correctness.

One concern: cooldown key validity

The PR introduces a cooldown block on all four update entries:

cooldown:
  semver-major-days: 7
  semver-minor-days: 3
  semver-patch-days: 3

Risk: I cannot verify whether cooldown with these exact sub-keys (semver-major-days, semver-minor-days, semver-patch-days) is currently supported by Dependabot. If the key is unrecognised or the sub-key names are wrong, Dependabot will silently ignore the block — the supply-chain protection the PR describes won't be active, but everything else still works. Before merging, it's worth a quick check against the Dependabot configuration reference to confirm the exact key names are correct.

Everything else looks good

• Three-tier grouping strategy (dev-minor-patch / prod-minor-patch / dev-major / prod-major individual) is sound and well-reasoned.
• ignore rules for zod, inquirer, and typescript majors are appropriate — these are genuinely non-trivial migrations.
• Monthly cadence for react-web-cli and examples/web-cli is a reasonable noise reduction for non-published sub-packages.
• GitHub Actions wildcard group is a clear improvement over 5 individual PRs.
• Conventional commit prefixes (fix(deps) / chore(dev-deps)) and label additions are useful operational improvements.
• The PR description itself is thorough and includes the rationale future maintainers will need when revisiting the ignore rules.

Overall: Ready to merge once the cooldown key syntax is verified against official docs.

[claude-code-ably-assistant]

Walkthrough: This PR rewrites the Dependabot configuration to reduce dependency PR noise from ~30 open PRs down to ~5-8. It adopts a three-tier grouping strategy for the root package, adds cooldown periods for newly published versions, moves sub-package schedules to monthly, and groups all GitHub Actions updates into a single PR. Changes: Config - .github/dependabot.yml - Complete rewrite: tiered grouping, ignore rules for infeasible major migrations (zod, inquirer, typescript), cooldown periods, conventional commit prefixes, monthly schedule for sub-packages, GitHub Actions wildcard grouping. Review Notes: No code changes - purely a CI/tooling configuration change with no impact on the CLI itself. Immediate action required: ~30 existing open Dependabot PRs should be closed manually; they will be recreated under the new grouping on the next Monday 09:00 UTC run. Ignored major versions: zod (v3 to v4), inquirer (v9 to v13), and typescript (v5 to v6) are excluded. These stale PRs will stop appearing but migrations still need to happen - a quarterly review reminder is recommended. Cooldown field: Verify this feature is supported by the Dependabot version in use - it is relatively new. Sub-package major updates: react-web-cli and examples/web-cli now group all updates including majors into a single monthly PR, which could obscure breaking changes. Labels: react-web-cli, examples, and github-actions labels may need to be created in the repo before the config takes full effect.

[sacOO7]

@claude recently axios dependency was compromised https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/ , so we definitely need cooldown to make sure no vulnerability is introduced.

[sacOO7]

I checked and validated cooldown key validity againt official doc https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-. The sub-keys semver-major-days, semver-minor-days, and semver-patch-days are all officially documented and valid.

[claude-code-ably-assistant]

Walkthrough

This PR rewrites .github/dependabot.yml to reduce Dependabot PR noise from ~30 open PRs down to ~5–8. It introduces tiered dependency grouping, cooldown windows for supply-chain protection, a monthly schedule for non-core sub-packages, and ignore rules for major-version migrations that are not yet planned.

Changes

Area	Files	Summary
Config	.github/dependabot.yml	Full rewrite of Dependabot configuration with 3-tier grouping, cooldown rules, sub-package schedule changes, and GitHub Actions wildcard grouping

Review Notes

• Behavioral change: Dependabot PR volume drops significantly (~30 → ~5–8). Existing open Dependabot PRs should be closed and allowed to re-open under the new grouping on the next Monday 09:00 UTC run.
• Ignored major migrations: zod (v3→v4), inquirer (v9→v13), and typescript (v5→v6) are now explicitly ignored until the team plans those migrations. A quarterly review reminder is recommended.
• Sub-package schedule: packages/react-web-cli and examples/web-cli moved from weekly → monthly. This reduces CI load but means those dependencies will lag up to 4 weeks behind.
• Supply-chain cooldown: New package versions are deferred 3 days (minor/patch) or 7 days (major) before a PR is raised. Security updates bypass this entirely.
• No code changes: Only CI/CD configuration is modified — no tests needed, no deployment considerations.
• Follow-up needed: GitHub labels (dependencies, react-web-cli, examples, github-actions) must exist in the repo for the label assignments to take effect.