Skip to content

ci(deps): consolidate dependabot npm entries for root#3014

Merged
saikumarrs merged 1 commit into
developfrom
chore/dependabot-consolidate-npm-entry
May 14, 2026
Merged

ci(deps): consolidate dependabot npm entries for root#3014
saikumarrs merged 1 commit into
developfrom
chore/dependabot-consolidate-npm-entry

Conversation

@saikumarrs

@saikumarrs saikumarrs commented May 14, 2026

Copy link
Copy Markdown
Member

Summary

  • Drop the second package-ecosystem: "npm" entry for / + develop that was introduced in ci(deps): split dependabot npm groups by runtime vs toolchain #2968. Dependabot does not support two npm entries that share the same directory + target-branch, so the toolchain block was silently inactive: no npm-toolchain-deps PR has ever been opened, and toolchain packages (@rollup/rollup-*, @swc/core-*, @nx/nx-*) were still being grouped into npm-prod-deps with a chore prefix instead of the configured fix.
  • Remove the ignore list as well — all root npm deps now flow through a single entry. Prod bumps land as fix(deps): (so the release pipeline's conventional-commit analyzer picks them up); dev bumps stay as chore(deps-dev):. PR titles can be overridden manually for toolchain-only bumps that shouldn't trigger a release.
  • Update the inline comment to document the single-entry constraint so it doesn't get re-split.

Why this matters

Since #2968 was merged, every npm-prod-deps PR (#2979, #2994, #3007) contained only toolchain packages and shipped as chore(deps):. Zero fix(deps): PRs have been produced from Dependabot — meaning the release pipeline has not been auto-bumping consumers for any runtime prod-dep change. This restores that behavior.

Test plan

  • Wait for the next Wednesday Dependabot run and confirm prod-dep bumps appear as fix(deps): and dev-dep bumps as chore(deps-dev):.
  • Confirm toolchain bumps now also flow through (and override the PR title manually if a given bump shouldn't drive a release).

Summary by CodeRabbit

Chores

  • Updated Dependabot configuration to clarify dependency bump labeling practices between production and development environments and streamline toolchain package update handling within the monorepo's primary dependency management system.

Review Change Stack

Dependabot does not support two `package-ecosystem: npm` entries that
share the same directory + target-branch. The split introduced in #2968
was silently broken: no `npm-toolchain-deps` PR was ever opened, and
toolchain packages still leaked into `npm-prod-deps` with a `chore`
prefix instead of the intended `fix`. Collapse to a single npm entry
for `/` so the configured prefixes (`fix` for prod, `chore` for dev)
actually take effect; PR titles can be overridden manually for
toolchain-only bumps that shouldn't trigger a release.
Copilot AI review requested due to automatic review settings May 14, 2026 04:51
@coderabbitai

coderabbitai Bot commented May 14, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7c5e2699-d118-40cb-86fb-c1006274d2b9

📥 Commits

Reviewing files that changed from the base of the PR and between 02a2880 and 74e6807.

📒 Files selected for processing (1)
  • .github/dependabot.yml

📝 Walkthrough

Walkthrough

The .github/dependabot.yml configuration is simplified by consolidating toolchain package management: the dedicated npm update entry for Nx/Rollup/SWC packages is removed, their ignore rules are dropped from the root configuration, and clarifying comments are added to document dependency grouping behavior.

Changes

Dependabot Configuration Simplification

Layer / File(s) Summary
Consolidate toolchain dependency management
.github/dependabot.yml
Removed the dedicated npm update entry for toolchain packages (@nx/, @rollup/rollup-, @swc/core-*) and the ignore subsection from the root npm config. Updated comments clarify how the root configuration handles prod vs dev dependency bumps and Dependabot PR title overrides.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'ci(deps): consolidate dependabot npm entries for root' accurately and specifically describes the main change: consolidating duplicate Dependabot npm configuration entries at the repository root.
Description check ✅ Passed The PR description provides a comprehensive summary of changes, explains the motivation (fixing a silent failure where toolchain deps weren't using the correct prefix), and includes a test plan; however, it lacks several template sections including Linear task, Cross Browser Tests, Sanity Suite, and Security checklist.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Reverts the dual-entry npm dependabot setup for the monorepo root introduced in #2968, which was silently inactive because Dependabot disallows two npm entries sharing the same directory + target-branch. Consolidates back to a single entry so prod bumps land as fix(deps): (picked up by the release pipeline) and dev bumps as chore(deps-dev):, with toolchain packages flowing through the same entry.

Changes:

  • Remove the second npm entry (npm-toolchain-deps) for / + develop.
  • Drop the ignore list so toolchain packages (@nx/*, @rollup/rollup-*, @swc/core-*) flow through the single root entry.
  • Update inline comment to document the single-entry constraint.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@saikumarrs saikumarrs marked this pull request as ready for review May 14, 2026 04:59
@saikumarrs saikumarrs requested a review from a team as a code owner May 14, 2026 04:59
@saikumarrs saikumarrs merged commit 659a79d into develop May 14, 2026
17 checks passed
@saikumarrs saikumarrs deleted the chore/dependabot-consolidate-npm-entry branch May 14, 2026 05:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants