chore(deps): switch Dependabot to security-only (suppress version bumps)#713
Merged
Conversation
Routine "bump axios from 1.2.3 to 1.2.4" PRs are out, security update PRs for CVEs are in. Implemented via open-pull-requests-limit: 0 on every ecosystem block, which the GitHub docs document as the supported way to keep an ecosystem registered for security updates while suppressing version-update PRs. Why now: supply-chain attacks via npm / PyPI / Go modules have become routine (chained typosquats, post-install scripts, account takeovers of maintainer accounts). A constant stream of merge-this-patch PRs produces alert fatigue and tempts a quick rubber-stamp on a malicious release. Reserving Dependabot's noise budget for actual advisories keeps reviewer attention where it matters. What still works: - Dependabot security updates open PRs when a tracked manifest hits a published advisory. Not subject to the open-pr limit. - The seven-manifest allowlist still scopes BOTH version AND security updates, so the deliberately vulnerable fixtures under rules/** and sast-engine/test-fixtures/** stay untouched. - Existing labels and chore(deps) prefix carry over to security PRs. - New "security" label added across all blocks so the PRs that DO open are immediately filterable. Severity filtering (the user's "high and critical only" ask): open-pull-requests-limit can't filter by severity. To suppress medium/low security PRs and dismiss the underlying alerts, configure auto-triage rules under Settings -> Security -> Dependabot -> Auto-triage rules. Documented in the file header.
shivasurya
added
dependencies
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Code Pathfinder Security Scan
No security issues detected.
Powered by Code Pathfinder |
Pathfinder Report✅ No security findings on the changed files. This pull request is clean. Powered by Code Pathfinder. |
This was referenced May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches
.github/dependabot.ymlfrom "weekly version-bump PRs" to "security-update PRs only." Implemented viaopen-pull-requests-limit: 0on every ecosystem block, the GitHub-documented way to keep an ecosystem registered for security updates while suppressing routine version bumps.Why
Supply-chain attacks via npm / PyPI / Go modules have become routine: chained typosquats, post-install scripts, account takeovers of maintainer accounts. A constant stream of "bump X from 1.2.3 to 1.2.4" PRs produces alert fatigue and tempts a quick rubber-stamp on a malicious release. Reserving Dependabot's noise budget for actual advisories keeps reviewer attention where it matters.
What still works
open-pull-requests-limitknob (per the GitHub docs).rules/**andsast-engine/test-fixtures/**are still ignored.labelsandchore(deps)commit prefix carry over to security update PRs. Newsecuritylabel added across all blocks so the PRs that do open are immediately filterable.Severity filtering (your "high and critical only" ask)
open-pull-requests-limitcan't filter by CVE severity. The supported mechanism is auto-triage rules under Settings → Security → Dependabot → Auto-triage rules:severity <= medium, action = "Auto-dismiss alert", reason =tolerable_risk(orinaccurate).severity >= high.That dismisses the underlying alerts so they also vanish from the Security tab. The file header documents this.
Follow-up after merge (planned in the next batch)
Close the in-flight dependabot version-bump PRs (#707–#711 and any that landed since this morning). Those were queued before this config took effect; they would otherwise sit open and contradict the new posture.
Test plan
open-pull-requests-limit: 0.groupsblock removed where present (no-op with limit 0; removed for clarity).