chore: enable dependabot for npm and cargo dependencies#138
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 46eaa5a3cf
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| - "*" | ||
|
|
||
| - package-ecosystem: "npm" | ||
| directory: "/" |
There was a problem hiding this comment.
When test/crashtracker dependencies such as express or body-parser need a security or compatibility bump, this npm entry is scoped only to /, so Dependabot will watch the root package.json/yarn.lock but never open updates for test/crashtracker/package.json and its lockfile, even though scripts/test.sh installs that package for the crashtracker test. Add a second npm entry, or use directories including /test/crashtracker, so the test package is covered too.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
The comment is valid as test/crashtracker/package.json has real dependencies (express, body-parser, @datadog/segfaultify) that won't be watched by the root-only entry.
That said, test/crashtracker has no lockfile of its own (package-lock.json or yarn.lock), so Dependabot will not be able to reliably track it. It skips directories with no lockfiles. Also, @datadog/segfaultify would presumably be excluded the same way @datadog/* is excluded from GitHub Actions (though the npm entry doesn't have that exclusion currently).
The fix is presumably to commit a lockfile there?
There was a problem hiding this comment.
Yep, I think your most recent commit 161ab74 should address this
Overall package sizeSelf size: 28.04 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------|🤖 This report was automatically generated by heaviest-objects-in-the-universe |
| - "*" | ||
|
|
||
| - package-ecosystem: "npm" | ||
| directory: "/" |
There was a problem hiding this comment.
Yep, I think your most recent commit 161ab74 should address this
2 participants
Adds Dependabot version update configuration for npm and Cargo package ecosystems, in addition to the existing GitHub Actions entry.
Both ecosystems use weekly checks with patch and minor updates grouped separately, following the same pattern as
DataDog/pprof-format.The
semver-patchlabel is applied by default so PRs are routed correctly in the release process.