From 029367fad4da4d2cea42c86883f9fad42ec9795b Mon Sep 17 00:00:00 2001 From: Patrick Dawkins Date: Tue, 9 Jun 2026 11:39:07 +0100 Subject: [PATCH] chore(dependabot): ignore major PHP updates, rename groups Major version bumps of PHP (composer) dependencies are usually incompatible. For example Dependabot repeatedly proposed upgrading doctrine/cache from 1.x to 2.x (#96), but 2.0 removed the concrete cache providers the legacy CLI relies on (FilesystemCache, VoidCache, and others), so the upgrade would break the build. doctrine/cache has no published security advisories, so nothing important is suppressed. Restrict the composer ecosystem to minor and patch updates. Go modules are left unchanged, since incompatible major versions there change the import path. Rename the dependency groups to php-deps and go-deps for clarity. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 131b665a..db47761f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,8 +4,14 @@ updates: directory: /legacy schedule: interval: weekly + # Major version bumps of PHP dependencies are usually incompatible + # (e.g. doctrine/cache 1.x to 2.x), so only allow minor and patch updates. + ignore: + - dependency-name: "*" + update-types: + - version-update:semver-major groups: - all-dependencies: + php-deps: patterns: - "*" @@ -14,6 +20,6 @@ updates: schedule: interval: weekly groups: - all-dependencies: + go-deps: patterns: - "*"