ci(deps): consolidate dependabot npm entries for root#3014
Conversation
Dependabot does not support two `package-ecosystem: npm` entries that share the same directory + target-branch. The split introduced in #2968 was silently broken: no `npm-toolchain-deps` PR was ever opened, and toolchain packages still leaked into `npm-prod-deps` with a `chore` prefix instead of the intended `fix`. Collapse to a single npm entry for `/` so the configured prefixes (`fix` for prod, `chore` for dev) actually take effect; PR titles can be overridden manually for toolchain-only bumps that shouldn't trigger a release.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe ChangesDependabot Configuration Simplification
🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Reverts the dual-entry npm dependabot setup for the monorepo root introduced in #2968, which was silently inactive because Dependabot disallows two npm entries sharing the same directory + target-branch. Consolidates back to a single entry so prod bumps land as fix(deps): (picked up by the release pipeline) and dev bumps as chore(deps-dev):, with toolchain packages flowing through the same entry.
Changes:
- Remove the second
npmentry (npm-toolchain-deps) for/+develop. - Drop the
ignorelist so toolchain packages (@nx/*,@rollup/rollup-*,@swc/core-*) flow through the single root entry. - Update inline comment to document the single-entry constraint.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
package-ecosystem: "npm"entry for/+developthat was introduced in ci(deps): split dependabot npm groups by runtime vs toolchain #2968. Dependabot does not support two npm entries that share the same directory + target-branch, so the toolchain block was silently inactive: nonpm-toolchain-depsPR has ever been opened, and toolchain packages (@rollup/rollup-*,@swc/core-*,@nx/nx-*) were still being grouped intonpm-prod-depswith achoreprefix instead of the configuredfix.ignorelist as well — all root npm deps now flow through a single entry. Prod bumps land asfix(deps):(so the release pipeline's conventional-commit analyzer picks them up); dev bumps stay aschore(deps-dev):. PR titles can be overridden manually for toolchain-only bumps that shouldn't trigger a release.Why this matters
Since #2968 was merged, every
npm-prod-depsPR (#2979, #2994, #3007) contained only toolchain packages and shipped aschore(deps):. Zerofix(deps):PRs have been produced from Dependabot — meaning the release pipeline has not been auto-bumping consumers for any runtime prod-dep change. This restores that behavior.Test plan
fix(deps):and dev-dep bumps aschore(deps-dev):.Summary by CodeRabbit
Chores