ci: fix dependabot exclusions for non-production ecosystems#431
Merged
ruromero merged 2 commits intoguacsec:mainfrom Apr 22, 2026
Merged
ci: fix dependabot exclusions for non-production ecosystems#431ruromero merged 2 commits intoguacsec:mainfrom
ruromero merged 2 commits intoguacsec:mainfrom
Conversation
The dependabot config missed /src/test/resources/msc/python in the pip ecosystem exclusion, allowing security update PR guacsec#425 (mako bump) to be created for an intentionally-pinned test fixture. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Per-directory entries with /** globs don't reliably suppress security updates (PRs guacsec#424, guacsec#426, guacsec#427 appeared after guacsec#422 was merged). Since this repo has no production npm/pip/go/gradle/cargo dependencies, add root-level entries with ignore-all + open-pull-requests-limit: 0 as a catch-all for security updates that bypass per-directory matching. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ruromero
changed the title
Strum355
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ignore: [{dependency-name: "*"}]entries for all non-production ecosystems (npm, pip, gomod, gradle, cargo) to suppress security updates that bypass per-directory glob matching/src/test/resources/msc/pythonto thepipecosystem exclusion (missed in ci: suppress dependabot updates for test fixture manifests #422)Why root-level entries?
Per-directory entries with
/**globs don't reliably suppress security updates — PRs #424, #426, #427 (axios bumps init/npm,it/pnpm,it/yarn) were all created after #422 was merged. Since this repo has no production npm/pip/go/gradle/cargo dependencies, root-level entries withignore-all+open-pull-requests-limit: 0act as a catch-all.The existing per-directory entries are kept for version update suppression.
Test plan
🤖 Generated with Claude Code