MAINT: Group Dependabot security minor patch updates#2018
Merged
romanlutz merged 1 commit intoJun 16, 2026
Conversation
spencrr
force-pushed
the
dev/spencrr/dependabot-security-groups
branch
from
c5b1139 to
dbe787c
Compare
romanlutz
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds explicit Dependabot
security-minor-and-patchgroups for each configured ecosystem so minor and patch security updates are grouped separately from normal version updates.This follows up on the recent separate Dependabot security PRs #2010, #2011, #2012, #2013, and #2015. The existing
minor-and-patchgroups only apply to version updates by default because Dependabotgroups.applies-todefaults toversion-updateswhen omitted. GitHub’s Dependabot options reference documents thatapplies-tosupports bothversion-updatesandsecurity-updates.Major security updates are intentionally left ungrouped. This keeps higher-risk updates, such as the major
cryptographybump in #2015, isolated for review while reducing noise for lower-risk minor and patch security fixes.References:
groupsoption: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#groups--applies-tobehavior: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#groups--Tests and Documentation
Validated the Dependabot YAML edit with VS Code diagnostics and
git diff --check.No runtime tests or JupyText runs were needed because this change only updates Dependabot configuration.