Yicong-Huang opened a new pull request, #6165:
URL: https://github.com/apache/texera/pull/6165

   ### What changes were proposed in this PR?
   
   Add `.github/dependabot.yml` to enable weekly Dependabot **version updates** 
— the complementary half of #6163 (which feeds security *alerts*): alerts flag 
vulnerable dependencies, version updates keep dependencies current so alerts 
rarely fire.
   
   | Ecosystem | Directory | Notes |
   | --- | --- | --- |
   | `sbt` | `/` (root build, all modules) | New Dependabot ecosystem (beta, 
2026-05); first use in the ASF org |
   | `npm` | `/frontend`, `/pyright-language-service` | Angular majors ignored 
— they need a guided `ng update` migration with framework/CLI lines moving 
together (see #6155) |
   | `pip` | `/amber` | `requirements.txt` + `operator-requirements.txt` |
   | `github-actions` | `/` | Commit prefix `ci` per repo convention |
   
   Noise control: **weekly** schedule, minor/patch bumps **grouped into a 
single PR per ecosystem**, majors as individual PRs, ≤5 open PRs per ecosystem. 
Commit prefixes follow the repo's Conventional Commits style (`chore(deps)` / 
`ci`) so the PR title check passes. 267 ASF repos already use `dependabot.yml`.
   
   Notes for review:
   
   - Local schema validation passes except the `sbt` enum value — schemastore 
still lags the 2026-05 beta; GitHub's changelog ([Dependabot version updates 
now support the sbt 
ecosystem](https://github.blog/changelog/2026-05-26-dependabot-version-updates-now-support-the-sbt-ecosystem/))
 is authoritative for the key. After merge, any config error would surface 
under Insights → Dependency graph → Dependabot.
   - The sbt ecosystem is beta: it may not follow every `build.sbt` pattern 
(e.g. version `val`s), so missed sbt updates are expected at first, not 
misconfiguration.
   - `.asf.yaml`'s `dependabot_updates` (automatic security-*fix* PRs) is 
deliberately left `false` to avoid a burst of bot PRs for the existing alert 
backlog while #6152/#6155 are in flight; it can be flipped separately later.
   
   ### Any related issues, documentation, discussions?
   
   Closes #6164. Related: #6162 / #6163 (sbt dependency graph for alerts).
   
   ### How was this PR tested?
   
   Config-only change; Dependabot runs server-side after merge, so it cannot be 
exercised by PR CI. Validated locally:
   
   - `yaml.safe_load` parses the file.
   - `check-jsonschema --builtin-schema vendor.dependabot` passes for all 
entries except the not-yet-in-schema `sbt` ecosystem value (see note above).
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Claude Fable 5)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to