docs(dependabot): clarify security-update routing to main (#1341)#1346
Merged
Conversation
…1341) The config already sets `target-branch: dev` on every ecosystem (live on main since v0.6.1), so version-update PRs correctly flow to dev. The remaining symptom in #1341 — Dependabot *security* PRs (#1298 form-data, #1324 vite) opening against `main` — is GitHub's by-design routing: security updates ignore `target-branch` and always target the default branch, and closing them triggers a recreate loop. Spell that out in the config comment with what to do instead (merge to main as a security fix; reaches dev on the next back-merge, or cherry-pick if urgent), so this isn't re-filed as a config bug. No behavioral change — comment only. Related to #1341 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
4 tasks
|
Resolve by running |
vybe
approved these changes
Jun 26, 2026
vybe
left a comment
vybe
left a comment
Contributor
There was a problem hiding this comment.
Validated via /validate-pr: docs/config only, security clean. Approving.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related to #1341
Comment-only clarification in
.github/dependabot.yml. No behavioral change.Context
Investigating #1341 showed the config bug it describes was already fixed:
target-branch: devis set on all 6 ecosystem entries on bothmainanddev(live onmainsince v0.6.1, 2026-06-12). Version-update PRs correctly targetdev.The two PRs still on
main(#1298 form-data, #1324 vite 5→8) are Dependabot security updates — created after the config was live, branch names lack the/dev/segment, and #1324 is a major bump thepatch-and-minorgroup would never raise. GitHub routes security updates to the default branch (main) by design;target-branchcan't redirect them, and closing them triggers a recreate loop.Change
Expands the header comment to spell out that a security PR against
mainis expected, not a misroute, and what to do (let it merge to main as a security fix → reaches dev on the next back-merge, or cherry-pick if urgent). Prevents this from being re-filed as a config bug.🤖 Generated with Claude Code