From 22ecca661ecc30af8b754f2d2806f3527b537378 Mon Sep 17 00:00:00 2001 From: Sven Greb Date: Sat, 12 Dec 2020 11:50:16 +0100 Subject: [PATCH] Reduce Dependabot PR noise for NPM package ecosystem To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations have been made: 1. The schedule changed to the `monthly` interval [1]. This is still enough to keep up with the fast updates in the NPM ecosystem. 2. Only watch production packages (`dependencies`) and ignore development packages (`devDependencies`). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit. Since GitHub takes security really serious [2], important Dependabot security updates [3] are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval. "Use the `allow` option to customize which dependencies are updated. This has no impact on security updates for vulnerable dependencies." [1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval [2]: https://github.com/security [3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates GH-65 --- .github/dependabot.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 09f2ba6..b55de32 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -24,7 +24,9 @@ updates: - package-ecosystem: "npm" directory: "/" schedule: - interval: "weekly" + interval: "monthly" + allow: + - dependency-type: "production" reviewers: - "svengreb" labels: