chore: keep major Dependabot updates out of grouped PRs#1264
Conversation
Restrict the dev/production groups to minor and patch bumps so major updates break out into individual PRs. A grouped major (@vitejs/plugin-react 4 -> 6) broke the whole batch in #1262; isolating majors keeps the safe minor/patch updates flowing and makes breaking bumps reviewable on their own.
|
PR template validation failedPlease fix the following issues by editing your PR description:
See CONTRIBUTING.md for the full contribution policy. |
There was a problem hiding this comment.
Pull request overview
Updates Dependabot grouping rules so major version bumps are no longer included in the grouped dev-dependencies / production-dependencies PRs, reducing the chance that a single breaking change causes an entire batch PR to fail CI.
Changes:
- Restrict
dev-dependenciesgroup tominorandpatchupdates only. - Restrict
production-dependenciesgroup tominorandpatchupdates only. - Add inline rationale comment explaining why majors should not be grouped.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![emdashbot[bot]](https://avatars.githubusercontent.com/in/3255304?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is a focused, correct configuration change that solves the stated problem. The approach is sound: by restricting Dependabot groups to minor and patch bumps, major version updates (which carry breaking changes and peer-dep incompatibilities — like the @vitejs/plugin-react@6 incident described in the PR) will now be raised as individual PRs for separate review instead of poisoning an otherwise safe grouped batch.
I checked the full dependabot.yml and AGENTS.md conventions. The update-types syntax matches GitHub's Dependabot schema, and no code-level conventions (SQL safety, Lingui, RTL, authorization, etc.) apply to a CI-only tooling tweak. No changeset is required per CONTRIBUTING.md for CI/tooling changes.
The existing cooldown.semver-major-days: 7 already delays major bumps, which pairs well with the new grouping exclusion — safe updates flow as a single low-noise grouped PR, while majors land individually after their cooldown. Clean PR.
github-actions
Bot
added
review/approved
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
docs | 4d00173 | Jun 01 2026, 02:40 PM |
@emdash-cms/admin
@emdash-cms/auth
@emdash-cms/auth-atproto
@emdash-cms/blocks
@emdash-cms/cloudflare
@emdash-cms/contentful-to-portable-text
emdash
create-emdash
@emdash-cms/gutenberg-to-portable-text
@emdash-cms/plugin-cli
@emdash-cms/plugin-types
@emdash-cms/registry-client
@emdash-cms/registry-lexicons
@emdash-cms/sandbox-workerd
@emdash-cms/x402
@emdash-cms/plugin-ai-moderation
@emdash-cms/plugin-atproto
@emdash-cms/plugin-audit-log
@emdash-cms/plugin-color
@emdash-cms/plugin-embeds
@emdash-cms/plugin-field-kit
@emdash-cms/plugin-forms
@emdash-cms/plugin-webhook-notifier
commit: |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
emdash-demo-cache | 4d00173 | Jun 01 2026, 02:41 PM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
emdash-playground | 4d00173 | Jun 01 2026, 02:41 PM |
What does this PR do?
Restricts the Dependabot
dev-dependenciesandproduction-dependenciesgroups tominorandpatchbumps. Major updates now break out into their own individual PRs instead of being batched in.The first grouped PR (#1262) failed all build-dependent checks because Dependabot lumped a major
@vitejs/plugin-reactbump (4 -> 6) in with ~18 safe minor/patch updates.@vitejs/plugin-react@6importsvite/internal, a subpath our pinned Vite 8 (rolldown-vite) doesn't export, sovite builddied and took the whole batch down with it.Isolating majors keeps the safe minor/patch updates flowing as a single low-noise PR, while breaking changes land individually where they can be reviewed (or closed) on their own. We can pick up the Vite-ecosystem majors when Astro bumps its Vite peer.
Type of change
Checklist
AI-generated code disclosure
Try this PR
Open a fresh playground →
A full working EmDash site, deployed from this branch. Each visit gets its own session-scoped sandbox: no login needed and no shared state. Try the admin, edit content, hit the public site.
Tracks
chore/dependabot-separate-majors. Updated automatically when the playground redeploys.