Skip to content

[TKN-716] Group Dependabot updates by package category #1095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 8, 2025
Merged

[TKN-716] Group Dependabot updates by package category #1095

merged 2 commits into from
Oct 8, 2025

Conversation

@calintje
Copy link
Contributor

@calintje calintje commented Oct 7, 2025
edited
Loading

Summary

Configures Dependabot with dependency grouping to reduce PR volume while maintaining safety for breaking changes. Groups 729 dependencies across npm and Cargo ecosystems based on analysis of lockfiles.

Process

To determine optimal grouping strategies, I ran analysis scripts against the repository's lockfiles:

  1. npm/yarn analysis: Parsed yarn.lock to identify scoped packages (@scope/package patterns) and count their prevalence
  2. Root Cargo analysis: Analyzed Cargo.lock to identify common prefixes (prefix-* patterns)
  3. SDK Cargo analysis: Aggregated analysis across 7 Cargo.lock files in subdirectories:
    • rust-sdk/{client,core,macros,tx-sender,whirlpool}
    • ts-sdk/core
    • examples/rust-sdk/whirlpool_repositioning_bot

Strategy

### Grouping Rules

  • Group together: Minor and patch updates for related packages
  • Keep separate: Major version updates (breaking changes requiring review)

Dependency Groups

Total: 729 packages across 23 groups

1. JavaScript/npm Dependencies (Root yarn.lock)

Group Name Package Count
docusaurus 26
solana-v1 4
solana-v2-core 39
solana-v2-programs 6
typescript-types 55
build-tools 163
testing-tools 8
monorepo-tools 11
linting-tools 18
release-tools 19
codegen-tools 14
docs-tooling 94
nextjs 11
TOTAL 468

2. Cargo - Root Program (Cargo.lock, Solana v1.17)

Group Name Package Count
solana-ecosystem 23
anchor-framework 12
serialization 10
cryptography 16
wasm-tooling 5
TOTAL 66

3. Cargo - SDK Subdirectories (Multiple Cargo.lock files, Solana v2.x)

Group Name Package Count
solana-sdk 130
serialization 16
cryptography 18
wasm-tooling 7
async-runtime 24
TOTAL 195

wjthieme
wjthieme reviewed Oct 8, 2025
View reviewed changes
.github/dependabot.yml Outdated
- "@solana/web3.js"
- "@solana/spl-token"
- "@coral-xyz/*"
update-types:
Copy link
Member

@wjthieme wjthieme Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think you can omit the update-types everywhere. Otherwise LGTM

@calintje calintje enabled auto-merge (squash) October 8, 2025 19:32
@calintje calintje merged commit c6f6df4 into main Oct 8, 2025
8 checks passed
@calintje calintje deleted the calintje/dependabot-update branch October 8, 2025 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wjthieme wjthieme wjthieme approved these changes

@yugure-orca yugure-orca Awaiting requested review from yugure-orca yugure-orca is a code owner

@odcheung odcheung Awaiting requested review from odcheung

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@calintje @wjthieme