chore(ci): enable Dependabot#435
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dimakis
left a comment
There was a problem hiding this comment.
Centaur Review
Found 1 issue(s) (1 warning).
.github/dependabot.yml
Solid Dependabot config; one npm directory (mcp-server/) is outside the workspace and will be missed.
- 🟡 bugs (L3): The
mcp-server/directory has its ownpackage.jsonandpackage-lock.jsonoutside the npm workspaces (root workspaces arepackages/*andfrontend). Dependabot's npm entry withdirectory: /will only scan the root lockfile and won't monitormcp-server/dependencies. Add a second npm ecosystem entry withdirectory: /mcp-server.[fixable]
| @@ -0,0 +1,20 @@ | |||
| version: 2 | |||
| updates: | |||
| - package-ecosystem: npm | |||
There was a problem hiding this comment.
🟡 bugs: The mcp-server/ directory has its own package.json and package-lock.json outside the npm workspaces (root workspaces are packages/* and frontend). Dependabot's npm entry with directory: / will only scan the root lockfile and won't monitor mcp-server/ dependencies. Add a second npm ecosystem entry with directory: /mcp-server. [fixable]
dimakis
left a comment
There was a problem hiding this comment.
Centaur Review
Found 1 issue(s).
.github/dependabot.yml
Clean Dependabot config; minor gap: the standalone mcp-server/ package isn't covered by the root npm entry since it's not a workspace member.
- 🔵 unsafe_assumptions (L3): The npm ecosystem entry uses
directory: /which covers the root workspace, but this is an npm workspace monorepo withmcp-server/having its ownpackage.jsonoutside the workspace config. Dependabot should handle workspace packages underpackages/*andfrontend/automatically since they're declared in rootworkspaces, butmcp-server/is not a workspace member — consider adding a separate npm entry withdirectory: /mcp-serverso its dependencies also get updates.[fixable]
| @@ -0,0 +1,20 @@ | |||
| version: 2 | |||
| updates: | |||
| - package-ecosystem: npm | |||
There was a problem hiding this comment.
🔵 unsafe_assumptions: The npm ecosystem entry uses directory: / which covers the root workspace, but this is an npm workspace monorepo with mcp-server/ having its own package.json outside the workspace config. Dependabot should handle workspace packages under packages/* and frontend/ automatically since they're declared in root workspaces, but mcp-server/ is not a workspace member — consider adding a separate npm entry with directory: /mcp-server so its dependencies also get updates. [fixable]
dimakis
left a comment
There was a problem hiding this comment.
Centaur Review
Found 2 issue(s).
.github/dependabot.yml
Clean Dependabot config; the docker ecosystem entry is inert (no Dockerfile exists — compose images need docker-compose ecosystem instead), and npm major bumps will arrive as individual PRs.
- 🔵 unsafe_assumptions (L11): The
dockerecosystem entry monitors Dockerfiles for base image updates, but this repo has no Dockerfile — it only uses pre-built images indocker-compose.yml(Jaeger, Loki, Grafana, MLflow). Dependabot's docker ecosystem won't updatedocker-compose.ymlimage tags; it only parsesFROMdirectives in Dockerfiles. This entry is inert and can be removed to avoid confusion. If the intent is to track compose image versions, Dependabot addeddocker-composeecosystem support — usepackage-ecosystem: docker-composewithdirectory: /instead.[fixable] - 🔵 style (L9): The npm grouping only covers
minorandpatchupdates. Major version bumps will arrive as individual PRs (one per package), which could be noisy. Consider adding a separatemajorgroup or anopen-pull-requests-limitto cap PR volume.[fixable]
| groups: | ||
| minor-and-patch: | ||
| update-types: [minor, patch] | ||
| - package-ecosystem: docker |
There was a problem hiding this comment.
🔵 unsafe_assumptions: The docker ecosystem entry monitors Dockerfiles for base image updates, but this repo has no Dockerfile — it only uses pre-built images in docker-compose.yml (Jaeger, Loki, Grafana, MLflow). Dependabot's docker ecosystem won't update docker-compose.yml image tags; it only parses FROM directives in Dockerfiles. This entry is inert and can be removed to avoid confusion. If the intent is to track compose image versions, Dependabot added docker-compose ecosystem support — use package-ecosystem: docker-compose with directory: / instead. [fixable]
| interval: weekly | ||
| day: monday | ||
| groups: | ||
| minor-and-patch: |
There was a problem hiding this comment.
🔵 style: The npm grouping only covers minor and patch updates. Major version bumps will arrive as individual PRs (one per package), which could be noisy. Consider adding a separate major group or an open-pull-requests-limit to cap PR volume. [fixable]
Summary
.github/dependabot.ymlto enable automated dependency update PRsTest plan
🤖 Generated with Claude Code