11version : 2
22updates :
33 # Root Electron + React app
4- - package-ecosystem : " npm"
5- directory : " / "
4+ - package-ecosystem : ' npm'
5+ directory : ' / '
66 schedule :
7- interval : " weekly"
8- day : " monday"
7+ interval : ' weekly'
8+ day : ' monday'
99 open-pull-requests-limit : 10
1010 groups :
1111 minor-and-patch :
1212 update-types :
13- - " minor"
14- - " patch"
13+ - ' minor'
14+ - ' patch'
1515 ignore :
1616 # @nivo/* is pre-1.0 and each minor can ship breaking changes. 0.99.0 broke `<Bar>`
1717 # elements. Hold the nivo packages at 0.88.0 until they're upgraded deliberately.
1818 # See PR #2091 (reverted by dadmobile).
19- - dependency-name : " @nivo/bar"
20- versions : [" >0.88.0" ]
21- - dependency-name : " @nivo/core"
22- versions : [" >0.88.0" ]
23- - dependency-name : " @nivo/line"
24- versions : [" >0.88.0" ]
25- - dependency-name : " @nivo/radar"
26- versions : [" >0.88.0" ]
19+ - dependency-name : ' @nivo/bar'
20+ versions : [' >0.88.0' ]
21+ - dependency-name : ' @nivo/core'
22+ versions : [' >0.88.0' ]
23+ - dependency-name : ' @nivo/line'
24+ versions : [' >0.88.0' ]
25+ - dependency-name : ' @nivo/radar'
26+ versions : [' >0.88.0' ]
2727 # lucide-react is imported in ~78 renderer components. The 1.0 line is an ESM-only
2828 # rewrite (`.mjs` bundles, RSC/dynamic-import reshuffles) and lucide ships icon
2929 # renames as plain minors on the 0.x line, so neither `semver-major` gating nor
3030 # the grouped minor/patch flow is safe here. Hold at 0.477.0 and bump deliberately
3131 # with a build + smoke test of icon-heavy pages (ModelZoo, Settings, Welcome,
3232 # Team). See PR #2174.
33- - dependency-name : " lucide-react"
34- versions : [" >0.477.0" ]
33+ - dependency-name : ' lucide-react'
34+ versions : [' >0.477.0' ]
3535 # React 19 is a major API change (ref-as-prop, removed legacy APIs, new JSX
3636 # transform). `react`, `react-dom`, and their @types must move together, and
3737 # @testing-library/react must move in lockstep (see below). Hold the whole
3838 # React family at 18.x until a coordinated migration. See PR #2126.
39- - dependency-name : " react"
40- versions : [" >=19" ]
41- - dependency-name : " react-dom"
42- versions : [" >=19" ]
43- - dependency-name : " @types/react"
44- versions : [" >=19" ]
45- - dependency-name : " @types/react-dom"
46- versions : [" >=19" ]
39+ - dependency-name : ' react'
40+ versions : [' >=19' ]
41+ - dependency-name : ' react-dom'
42+ versions : [' >=19' ]
43+ - dependency-name : ' @types/react'
44+ versions : [' >=19' ]
45+ - dependency-name : ' @types/react-dom'
46+ versions : [' >=19' ]
4747 # @testing-library/react v15 dropped React 17 and v16 requires React 19. Bundle
4848 # this with the React 19 migration. See PR #2127.
49- - dependency-name : " @testing-library/react"
50- versions : [" >=15" ]
49+ - dependency-name : ' @testing-library/react'
50+ versions : [' >=15' ]
5151 # jest-environment-jsdom v30 requires jest@30; we're on jest@29. Hold until a
5252 # coordinated jest 30 upgrade (which also affects ts-jest, @types/jest, etc.).
5353 # See PR #2130.
54- - dependency-name : " jest-environment-jsdom"
55- versions : [" >=30" ]
54+ - dependency-name : ' jest-environment-jsdom'
55+ versions : [' >=30' ]
5656 # @types/node majors track Node runtime majors. We're pinned to Node 22 (see
5757 # CLAUDE.md; conda env, scripts/dev.py, CI), and the renderer doesn't import
5858 # Node builtins directly — only build tooling under .erb/ and scripts/ does.
5959 # Holding at 22.x avoids a recurring PR with zero security exposure (types-only
6060 # package). Lift this in lockstep when Node itself moves.
61- - dependency-name : " @types/node"
62- versions : [" >=23" ]
61+ - dependency-name : ' @types/node'
62+ versions : [' >=23' ]
6363 # Webpack loader / CLI family. These churn constantly and each major typically
6464 # requires coordinated changes across .erb/configs/* (webpack 5 config shape,
6565 # asset modules, postcss override compatibility — see the `overrides` note in
6666 # package.json). We're not chasing the bleeding edge on the build toolchain;
6767 # security fixes still land via minor/patch. Bump these deliberately as a
6868 # single toolchain-upgrade PR when it's worth a focused day.
69- - dependency-name : " webpack-cli"
70- update-types : [" version-update:semver-major" ]
71- - dependency-name : " webpack-dev-server"
72- update-types : [" version-update:semver-major" ]
73- - dependency-name : " webpack-merge"
74- update-types : [" version-update:semver-major" ]
75- - dependency-name : " webpack-bundle-analyzer"
76- update-types : [" version-update:semver-major" ]
77- - dependency-name : " css-loader"
78- update-types : [" version-update:semver-major" ]
79- - dependency-name : " sass-loader"
80- update-types : [" version-update:semver-major" ]
81- - dependency-name : " style-loader"
82- update-types : [" version-update:semver-major" ]
83- - dependency-name : " postcss-loader"
84- update-types : [" version-update:semver-major" ]
85- - dependency-name : " esbuild-loader"
86- update-types : [" version-update:semver-major" ]
69+ - dependency-name : ' webpack-cli'
70+ update-types : [' version-update:semver-major' ]
71+ - dependency-name : ' webpack-dev-server'
72+ update-types : [' version-update:semver-major' ]
73+ - dependency-name : ' webpack-merge'
74+ update-types : [' version-update:semver-major' ]
75+ - dependency-name : ' webpack-bundle-analyzer'
76+ update-types : [' version-update:semver-major' ]
77+ - dependency-name : ' css-loader'
78+ update-types : [' version-update:semver-major' ]
79+ - dependency-name : ' sass-loader'
80+ update-types : [' version-update:semver-major' ]
81+ - dependency-name : ' style-loader'
82+ update-types : [' version-update:semver-major' ]
83+ - dependency-name : ' postcss-loader'
84+ update-types : [' version-update:semver-major' ]
85+ - dependency-name : ' esbuild-loader'
86+ update-types : [' version-update:semver-major' ]
8787 # file-loader and url-loader are abandoned upstream (replaced by webpack 5's
8888 # built-in asset modules). No future major will be worth taking — only here
8989 # for legacy compatibility.
90- - dependency-name : " file-loader"
91- update-types : [" version-update:semver-major" ]
92- - dependency-name : " url-loader"
93- update-types : [" version-update:semver-major" ]
94- - dependency-name : " mini-css-extract-plugin"
95- update-types : [" version-update:semver-major" ]
96- - dependency-name : " css-minimizer-webpack-plugin"
97- update-types : [" version-update:semver-major" ]
98- - dependency-name : " html-webpack-plugin"
99- update-types : [" version-update:semver-major" ]
100- - dependency-name : " tsconfig-paths-webpack-plugin"
101- update-types : [" version-update:semver-major" ]
102- - dependency-name : " @svgr/webpack"
103- update-types : [" version-update:semver-major" ]
104- - dependency-name : " @pmmmwh/react-refresh-webpack-plugin"
105- update-types : [" version-update:semver-major" ]
106- - dependency-name : " @teamsupercell/typings-for-css-modules-loader"
107- update-types : [" version-update:semver-major" ]
90+ - dependency-name : ' file-loader'
91+ update-types : [' version-update:semver-major' ]
92+ - dependency-name : ' url-loader'
93+ update-types : [' version-update:semver-major' ]
94+ - dependency-name : ' mini-css-extract-plugin'
95+ update-types : [' version-update:semver-major' ]
96+ - dependency-name : ' css-minimizer-webpack-plugin'
97+ update-types : [' version-update:semver-major' ]
98+ - dependency-name : ' html-webpack-plugin'
99+ update-types : [' version-update:semver-major' ]
100+ - dependency-name : ' tsconfig-paths-webpack-plugin'
101+ update-types : [' version-update:semver-major' ]
102+ - dependency-name : ' @svgr/webpack'
103+ update-types : [' version-update:semver-major' ]
104+ - dependency-name : ' @pmmmwh/react-refresh-webpack-plugin'
105+ update-types : [' version-update:semver-major' ]
106+ - dependency-name : ' @teamsupercell/typings-for-css-modules-loader'
107+ update-types : [' version-update:semver-major' ]
108108
109109 # Docs site (Docusaurus, managed with yarn classic — dependabot's npm ecosystem auto-detects yarn.lock)
110110 # Build runs on Node 22 via transformerlab-docs/netlify.toml. Major bumps are ignored across
111111 # the board (manual coordination needed); minor/patch updates flow through for security.
112- - package-ecosystem : " npm"
113- directory : " /transformerlab-docs"
112+ - package-ecosystem : ' npm'
113+ directory : ' /transformerlab-docs'
114114 schedule :
115- interval : " weekly"
116- day : " monday"
115+ interval : ' weekly'
116+ day : ' monday'
117117 open-pull-requests-limit : 5
118118 commit-message :
119- prefix : " docs-deps"
120- include : " scope"
119+ prefix : ' docs-deps'
120+ include : ' scope'
121121 labels :
122- - " dependencies"
123- - " docs"
122+ - ' dependencies'
123+ - ' docs'
124124 groups :
125125 docusaurus :
126126 patterns :
127- - " @docusaurus/*"
128- - " @mdx-js/*"
127+ - ' @docusaurus/*'
128+ - ' @mdx-js/*'
129129 react :
130130 patterns :
131- - " react"
132- - " react-dom"
131+ - ' react'
132+ - ' react-dom'
133133 minor-and-patch :
134134 update-types :
135- - " minor"
136- - " patch"
135+ - ' minor'
136+ - ' patch'
137137 ignore :
138138 # Major bumps on docs deps need manual coordination; minor/patch is enough for security.
139- - dependency-name : " * "
140- update-types : [" version-update:semver-major" ]
139+ - dependency-name : ' * '
140+ update-types : [' version-update:semver-major' ]
141141
142142 # API (FastAPI, managed with uv)
143- - package-ecosystem : " uv "
144- directory : " /api"
143+ - package-ecosystem : ' uv '
144+ directory : ' /api'
145145 schedule :
146- interval : " weekly"
147- day : " monday"
146+ interval : ' weekly'
147+ day : ' monday'
148148 open-pull-requests-limit : 10
149149 groups :
150+ # Core web/auth stack. These packages are mostly pre-1.0 (where
151+ # "minor" bumps ship breaking changes) or tightly coupled to
152+ # fastapi+fastapi-users. A regression in any of them can break
153+ # every request through the API.
154+ #
155+ # Plan:
156+ # - take patches automatically for security coverage
157+ # - hold minor bumps for a deliberate, manual PR
158+ #
159+ # Dependabot evaluates groups in order, so this one must come before
160+ # `minor-and-patch`.
161+ core-web-stack :
162+ patterns :
163+ - ' fastapi'
164+ - ' fastapi-users'
165+ - ' httpx-oauth'
166+ - ' uvicorn'
167+ - ' aiosqlite'
168+ - ' asyncpg'
169+ - ' python-multipart'
170+ update-types :
171+ - ' patch'
150172 minor-and-patch :
151173 update-types :
152- - " minor"
153- - " patch"
174+ - ' minor'
175+ - ' patch'
154176 ignore :
177+ # Core web/auth stack: block all minor and major bumps so they don't
178+ # leak into the `minor-and-patch` catch-all. Patches still flow through
179+ # the `core-web-stack` group above. Minors and majors require a
180+ # deliberate, human-driven PR — see the comment on `core-web-stack`
181+ # for the rationale.
182+ - dependency-name : ' fastapi'
183+ update-types :
184+ ['version-update:semver-minor', 'version-update:semver-major']
185+ - dependency-name : ' fastapi-users'
186+ update-types :
187+ ['version-update:semver-minor', 'version-update:semver-major']
188+ - dependency-name : ' httpx-oauth'
189+ update-types :
190+ ['version-update:semver-minor', 'version-update:semver-major']
191+ - dependency-name : ' uvicorn'
192+ update-types :
193+ ['version-update:semver-minor', 'version-update:semver-major']
194+ - dependency-name : ' aiosqlite'
195+ update-types :
196+ ['version-update:semver-minor', 'version-update:semver-major']
197+ - dependency-name : ' asyncpg'
198+ update-types :
199+ ['version-update:semver-minor', 'version-update:semver-major']
200+ - dependency-name : ' python-multipart'
201+ update-types :
202+ ['version-update:semver-minor', 'version-update:semver-major']
203+
155204 # datasets 4.x removes loading-script support (`trust_remote_code` workflows) that
156205 # several gallery training scripts rely on. Deliberately pinned to 3.x; a datasets
157206 # upgrade needs its own dedicated PR with full validation. See PR #2090.
158- - dependency-name : " datasets"
159- versions : [" >=4" ]
207+ - dependency-name : ' datasets'
208+ versions : [' >=4' ]
160209 # azure-mgmt-resource 25.0.0 removed/relocated `SubscriptionClient`, which our
161210 # Azure compute provider imports from `azure.mgmt.resource`. Provider health check
162211 # fails immediately on import. Revisit after refactoring the import path. See PR #2083.
163- - dependency-name : " azure-mgmt-resource"
164- versions : [" >=25" ]
212+ - dependency-name : ' azure-mgmt-resource'
213+ versions : [' >=25' ]
165214 # boto3 patches beyond 1.40.70 are uninstallable. Each boto3 patch pins a
166215 # matching botocore patch, and aiobotocore's compatible window in the 1.40
167216 # line is botocore>=1.40.37,<1.40.71 — so boto3 1.40.71+ (and all of 1.41.x)
168217 # fall in a dead zone aiobotocore won't accept. aiobotocore is pulled in
169218 # transitively via s3fs, which is capped by fsspec, which is capped by the
170219 # `datasets` 3.x pin above. Hold boto3 at 1.40.70 until datasets is unpinned
171220 # or a newer aiobotocore covers the gap. See PR #2159, PR #2169.
172- - dependency-name : " boto3"
173- versions : [" >1.40.70" ]
221+ - dependency-name : ' boto3'
222+ versions : [' >1.40.70' ]
174223
175224 # CLI (Typer, managed with uv)
176225 # Security-only mode: the CLI is published to PyPI as `transformerlab-cli` and
@@ -181,35 +230,35 @@ updates:
181230 # disables routine version-update PRs while still allowing Dependabot security
182231 # advisory PRs to fire (security updates bypass the limit). Revisit if the CLI
183232 # ever grows a network listener or starts parsing untrusted input.
184- - package-ecosystem : " uv "
185- directory : " /cli"
233+ - package-ecosystem : ' uv '
234+ directory : ' /cli'
186235 schedule :
187- interval : " weekly"
188- day : " monday"
236+ interval : ' weekly'
237+ day : ' monday'
189238 open-pull-requests-limit : 0
190239
191240 # Lab SDK (published to PyPI as `transformerlab`)
192- - package-ecosystem : " uv "
193- directory : " /lab-sdk"
241+ - package-ecosystem : ' uv '
242+ directory : ' /lab-sdk'
194243 schedule :
195- interval : " weekly"
196- day : " monday"
244+ interval : ' weekly'
245+ day : ' monday'
197246 open-pull-requests-limit : 5
198247 groups :
199248 minor-and-patch :
200249 update-types :
201- - " minor"
202- - " patch"
250+ - ' minor'
251+ - ' patch'
203252
204253 # GitHub Actions workflows
205- - package-ecosystem : " github-actions"
206- directory : " / "
254+ - package-ecosystem : ' github-actions'
255+ directory : ' / '
207256 schedule :
208- interval : " weekly"
209- day : " monday"
257+ interval : ' weekly'
258+ day : ' monday'
210259 open-pull-requests-limit : 5
211260 groups :
212261 minor-and-patch :
213262 update-types :
214- - " minor"
215- - " patch"
263+ - ' minor'
264+ - ' patch'
0 commit comments