Skip to content

Have dependabot ignore patch updates#69

Merged
ejfine merged 1 commit intomainfrom
more-dependabot
Jul 6, 2025
Merged

Have dependabot ignore patch updates#69
ejfine merged 1 commit intomainfrom
more-dependabot

Conversation

@ejfine
Copy link
Contributor

@ejfine ejfine commented Jul 6, 2025
edited by coderabbitai bot
Loading

Why is this change necessary?

It was too noisy

How does this change address the issue?

Updates config in this repo and child template

What side effects does this change have?

N/A

How is this change tested?

the impact on dependabot isn't tested, but these changes were pulled successfully into downstream child and grandchild repos

Other

bumped some package versions

Summary by CodeRabbit

  • Chores
    • Updated dependency management settings to ignore non-security patch updates.
    • Updated internal tool and library versions to newer releases.

@ejfine ejfine requested a review from Copilot July 6, 2025 18:21
@ejfine ejfine self-assigned this Jul 6, 2025
@coderabbitai
Copy link

coderabbitai bot commented Jul 6, 2025
edited
Loading

Walkthrough

The changes update the Dependabot configuration to globally ignore patch-level semantic version updates for all dependencies, except for security updates. Additionally, several dependency version strings are incremented within the ContextUpdater class in the codebase, without altering any logic or control flow.

Changes

File(s) Change Summary
.github/dependabot.yml Added a global ignore rule for patch-level updates for all dependencies; clarified with a comment.
extensions/context.py Updated version strings for multiple dependencies and tools in the ContextUpdater class.

Poem

A patch ignored, a version raised,
Dependabot’s rules have been rephrased.
Context strings now shine anew,
With fresher tags in every queue.
The rabbit hops with tidy cheer,
For updates managed far and near!
🐇✨

✨ Finishing Touches
  • 📝 Generate Docstrings
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copilot AI reviewed Jul 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Dependabot configuration to ignore routine semver-patch updates and bumps several package version pins in the project template.

  • Adds a global wildcard rule to skip patch-level Dependabot PRs
  • Retains and duplicates a boto3-specific patch-ignore rule
  • Updates multiple version values in extensions/context.py

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
extensions/context.py Bumped various tool and library version strings
.github/dependabot.yml Added a wildcard ignore for semver-patch updates
Comments suppressed due to low confidence (1)

.github/dependabot.yml:15

  • The boto3-specific ignore entry is now redundant because the preceding wildcard rule (dependency-name: "*") already covers all semver-patch updates. Consider removing this duplicate to simplify the configuration.
      - dependency-name: "boto3" # boto3 gets patch updates way too frequently and they're usually not important

coderabbitai[bot]
coderabbitai bot reviewed Jul 6, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (3)
.github/dependabot.yml (1)

12-15: Wildcard-first ignore rule makes the later boto3 rule redundant

Because the new "*" ignore rule already suppresses every patch-level update, the specific boto3 rule that follows will never be reached.
Keep the latter only if you intend to drop the wildcard in the future; otherwise delete it to avoid confusion.

-      - dependency-name: "boto3" # boto3 gets patch updates way too frequently and they're usually not important
-        update-types:
-          - "version-update:semver-patch"
extensions/context.py (2)

20-21: Hard-coding every version string invites drift

These constants now diverge from the previous install scripts and pyproject.toml. Consider moving shared versions to a single source of truth (e.g. pyproject.toml’s [tool.*] table or a dedicated versions.py) and importing it here, so that future bumps are atomic.

36-37: Pydantic 2.11.x may be incompatible with FastAPI < 0.111

You bumped FastAPI further below, but third-party plugins inside child templates could still pin older FastAPI releases. Suggest grepping the repo for fastapi== and running pip check in template-generated projects.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3653e28 and e705a34.

📒 Files selected for processing (2)
  • .github/dependabot.yml (1 hunks)
  • extensions/context.py (1 hunks)
🔇 Additional comments (3)
.github/dependabot.yml (1)

12-15: Confirm security-fix behaviour is preserved

Dependabot is supposed to ignore rules for non-security PRs only. Still, double-check that the organisation policy (or any custom bot filters) doesn’t inadvertently block security advisories after adding this global rule.

No code change required — just verify in a staging repo or next scheduled run.

extensions/context.py (2)

28-29: Pulumi 3.181.0 introduces deprecations

The 3.181.x line deprecates several resources; downstream templates might emit warnings or break type checks. Make sure CI runs with PULUMI_SKIP_UPDATE_CHECK disabled to catch unexpected provider upgrades.

40-42: Version numbers verified on PyPI

The specified versions for fastapi (0.115.14) and uvicorn (0.35.0) match the latest releases on PyPI, so there are no typos and no further changes are needed.

@ejfine ejfine merged commit e2dca74 into main Jul 6, 2025
8 checks passed
@ejfine ejfine deleted the more-dependabot branch July 6, 2025 18:28
@coderabbitai coderabbitai bot mentioned this pull request Jul 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@ejfine ejfine

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ejfine