chore: Add Dependabot version-update cooldown#1746
chore: Add Dependabot version-update cooldown#1746ld-repository-standards[bot] wants to merge 1 commit into
Conversation
|
@launchdarkly/js-sdk-common size report |
|
@launchdarkly/js-client-sdk size report |
|
@launchdarkly/js-client-sdk-common size report |
|
@launchdarkly/browser size report |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f629fdc. Configure here.
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
Duplicate npm Dependabot coverage
Medium Severity
The file registers npm version updates at the repo root and again for each Yarn workspace package.json. For this monorepo, a root npm entry already scans every workspace listed in the root package.json, so the per-package entries largely repeat the same scope and can produce overlapping Dependabot PRs for the same dependency.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit f629fdc. Configure here.
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
Renovate and Dependabot overlap
Medium Severity
This commit adds a github-actions Dependabot entry while renovate.json still extends the recommended preset and keeps GitHub Actions updates enabled (only npm is disabled). If Renovate remains installed on the repo, both bots can propose the same workflow action bumps.
Reviewed by Cursor Bugbot for commit f629fdc. Configure here.
1 participant
This pull request was auto generated by the LaunchDarkly Github Standards automation platform.
updatesin.github/dependabot.ymldeclares a cooldown of at least 7 days (default-days).Cooldown applies only to version updates; security updates bypass it, so critical CVE fixes are never delayed.
Ref: SEC-8058.
Note
Low Risk
CI-only configuration with no runtime or application code changes; only affects how and when Dependabot opens update PRs.
Overview
Introduces
.github/dependabot.ymlto automate dependency updates across the monorepo.Every update entry uses a weekly schedule and a
cooldown.default-days: 7so routine version bumps are spaced out; security updates are not subject to this cooldown (per Dependabot behavior). Coverage includes github-actions at the repo root and npm for the root workspace plus each package directory underpackages/(SDKs, AI providers, shared libs, store, telemetry, tooling, and examples).Reviewed by Cursor Bugbot for commit f629fdc. Bugbot is set up for automated code reviews on this repo. Configure here.