Yicong-Huang opened a new pull request, #6165: URL: https://github.com/apache/texera/pull/6165
### What changes were proposed in this PR? Add `.github/dependabot.yml` to enable weekly Dependabot **version updates** — the complementary half of #6163 (which feeds security *alerts*): alerts flag vulnerable dependencies, version updates keep dependencies current so alerts rarely fire. | Ecosystem | Directory | Notes | | --- | --- | --- | | `sbt` | `/` (root build, all modules) | New Dependabot ecosystem (beta, 2026-05); first use in the ASF org | | `npm` | `/frontend`, `/pyright-language-service` | Angular majors ignored — they need a guided `ng update` migration with framework/CLI lines moving together (see #6155) | | `pip` | `/amber` | `requirements.txt` + `operator-requirements.txt` | | `github-actions` | `/` | Commit prefix `ci` per repo convention | Noise control: **weekly** schedule, minor/patch bumps **grouped into a single PR per ecosystem**, majors as individual PRs, ≤5 open PRs per ecosystem. Commit prefixes follow the repo's Conventional Commits style (`chore(deps)` / `ci`) so the PR title check passes. 267 ASF repos already use `dependabot.yml`. Notes for review: - Local schema validation passes except the `sbt` enum value — schemastore still lags the 2026-05 beta; GitHub's changelog ([Dependabot version updates now support the sbt ecosystem](https://github.blog/changelog/2026-05-26-dependabot-version-updates-now-support-the-sbt-ecosystem/)) is authoritative for the key. After merge, any config error would surface under Insights → Dependency graph → Dependabot. - The sbt ecosystem is beta: it may not follow every `build.sbt` pattern (e.g. version `val`s), so missed sbt updates are expected at first, not misconfiguration. - `.asf.yaml`'s `dependabot_updates` (automatic security-*fix* PRs) is deliberately left `false` to avoid a burst of bot PRs for the existing alert backlog while #6152/#6155 are in flight; it can be flipped separately later. ### Any related issues, documentation, discussions? Closes #6164. Related: #6162 / #6163 (sbt dependency graph for alerts). ### How was this PR tested? Config-only change; Dependabot runs server-side after merge, so it cannot be exercised by PR CI. Validated locally: - `yaml.safe_load` parses the file. - `check-jsonschema --builtin-schema vendor.dependabot` passes for all entries except the not-yet-in-schema `sbt` ecosystem value (see note above). ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Fable 5) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
