Skip to content

chore: restrict dependabot to security updates only#1655

Merged
aws-cdk-automation merged 3 commits into
mainfrom
epolon/limit-dependabot-to-security-alerts
Jun 22, 2026
Merged

chore: restrict dependabot to security updates only#1655
aws-cdk-automation merged 3 commits into
mainfrom
epolon/limit-dependabot-to-security-alerts

Conversation

@iliapolo

Copy link
Copy Markdown
Contributor

In #1035, we added a dependabot configuration that adds an auto-approve label to NPM update PRs created by dependabot. This was done so that such PRs can be auto merged. However, we inadvertently also increased the scope of which PRs should depedabot create.

Prior to #1035

The npm package registry was missing - which means dependabot would only create PRs that resolve a security alert, as specified in our repository settings:

Screenshot 2026-06-21 at 7 13 00 PM

After #1035

Dependabot creates PRs for regular npm dependency upgrades, duplicating our custom projen based workflow. For example:


According to GitHub docs:

If you only require security updates and want to exclude version updates, you can set open-pull-requests-limit to 0 in order to prevent version updates for a given package-ecosystem.

We now use this mechanism in order to limit dependabot to security alerts but preserve the addition of the auto-approve lablel.

Checklist

  • This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed
    • Release notes for the new version:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Comment thread .projenrc.ts
// see https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-security-updates#overriding-the-default-behavior-with-a-configuration-file
'open-pull-requests-limit': 0,
'labels': ['auto-approve'],
'allow': [{

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed because we want to resolve security alerts in dev deps as well.

Comment thread .projenrc.ts
{
'package-ecosystem': 'npm',
'schedule': { interval: 'weekly' },
'cooldown': {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed because we want to grab security fixes as fast as possible, assuming they themselves don't need a cooldown period.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to keep some cooldown if we are auto merging packages. It can be shorter then before. I'm not sure I trust Dependabot/our understanding of the config enough here.

@iliapolo iliapolo changed the title chore: allow dependabot only for security updates chore: restrict dependabot to security updates only Jun 21, 2026
@aws-cdk-automation aws-cdk-automation added this pull request to the merge queue Jun 22, 2026
Merged via the queue into main with commit 9f04d41 Jun 22, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants