Skip to content

chore: exclude test fixture manifests from Dependabot#409

Merged
ruromero merged 1 commit intoguacsec:mainfrom
ruromero:dependabot-ignore-test-manifests
Apr 13, 2026
Merged

chore: exclude test fixture manifests from Dependabot#409
ruromero merged 1 commit intoguacsec:mainfrom
ruromero:dependabot-ignore-test-manifests

Conversation

@ruromero
Copy link
Copy Markdown
Collaborator

@ruromero ruromero commented Apr 13, 2026

Summary

  • Add Dependabot ecosystem entries for npm, pip, gomod, gradle, and cargo with exclude-paths: ["src/test/**"] and open-pull-requests-limit: 0
  • Prevents Dependabot from raising version update PRs for test fixture manifests in src/test/resources/tst_manifests/
  • These manifests contain intentionally pinned (and sometimes vulnerable) dependencies used as test data for the dependency-analysis client

Note: exclude-paths only applies to Dependabot version updates. Security update PRs for test fixtures (e.g. #403, #404, #405, #407) must be closed manually and their alerts dismissed.

Test plan

🤖 Generated with Claude Code

@ruromero @claude
chore: exclude test fixture manifests from Dependabot
a431f39 
The src/test/resources/tst_manifests/ directory contains intentionally
pinned (and sometimes vulnerable) dependencies used as test data.
Dependabot was raising version and security update PRs for these
fixtures, which should never be upgraded automatically.

Add ecosystem entries for npm, pip, gomod, gradle, and cargo with
exclude-paths covering src/test/** and open-pull-requests-limit: 0
so Dependabot skips those manifests entirely for version updates.

Note: exclude-paths does not apply to Dependabot security updates.
Security update PRs for test fixtures must be closed manually and
their alerts dismissed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review bot commented Apr 13, 2026

Review Summary by Qodo

Add Dependabot exclusions for test fixture manifests

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Add Dependabot ecosystem entries for npm, pip, gomod, gradle, cargo
• Exclude test fixture manifests in src/test/** from version updates
• Set open-pull-requests-limit to 0 to prevent automatic PRs
• Test fixtures contain intentionally pinned vulnerable dependencies
Diagram 
flowchart LR
  A["dependabot.yml"] -->|"Add npm, pip, gomod,<br/>gradle, cargo entries"| B["Exclude src/test/**"]
  B -->|"Set limit to 0"| C["Prevent test fixture<br/>version update PRs"]
Loading

Grey Divider

File Changes

1. .github/dependabot.yml ⚙️ Configuration changes +38/-0

Configure Dependabot to exclude test fixture manifests

• Added Dependabot ecosystem entries for npm, pip, gomod, gradle, and cargo
• Configured exclude-paths to skip src/test/** directory for all new ecosystems
• Set open-pull-requests-limit to 0 to prevent automatic version update PRs
• Added explanatory comments about test fixture manifests containing intentionally pinned
 dependencies

.github/dependabot.yml

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review bot commented Apr 13, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)
🐞\ ⚙ Maintainability (1)

Grey Divider


Remediation recommended

1. Dependabot updates disabled 🐞
Description 
The new npm/pip/gomod/gradle/cargo entries set open-pull-requests-limit: 0, which prevents
Dependabot from opening any version-update PRs for those ecosystems across the repo (not just for
test fixtures). Combined with exclude-paths: ["src/test/**"], this likely means these entries won’t
manage the fixture manifests they’re intended to address and may silently block future updates if
non-test manifests are introduced later.
Code

.github/dependabot.yml[R16-50]

+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    exclude-paths:
+      - "src/test/**"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    exclude-paths:
+      - "src/test/**"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    exclude-paths:
+      - "src/test/**"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "gradle"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    exclude-paths:
+      - "src/test/**"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    exclude-paths:
+      - "src/test/**"
+    open-pull-requests-limit: 0
Evidence 
The Dependabot config explicitly disables version-update PR creation for these ecosystems
(open-pull-requests-limit: 0) and excludes src/test/**, while representative manifests for these
ecosystems in the repo are located under src/test/resources/tst_manifests/... (which matches the
excluded path).

.github/dependabot.yml[16-50]
src/test/resources/tst_manifests/it/npm/package.json[1-16]
src/test/resources/tst_manifests/it/pypi/requirements.txt[1-3]
src/test/resources/tst_manifests/it/golang/go.mod[1-10]
src/test/resources/tst_manifests/it/gradle-groovy/build.gradle[1-17]
src/test/resources/tst_manifests/cargo/license/cargo_with_license/Cargo.toml[1-7]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
New Dependabot ecosystem entries (npm/pip/gomod/gradle/cargo) are configured with `open-pull-requests-limit: 0`, which disables *all* version-update PRs for those ecosystems across the repo, and they also exclude `src/test/**` where fixture manifests live. This can make the configuration ineffective for its stated goal and creates a future trap if real (non-test) manifests are added.

### Issue Context
Fixture manifests are under `src/test/resources/tst_manifests/...`, and the new entries exclude `src/test/**` while also setting `open-pull-requests-limit: 0`.

### Fix Focus Areas
- .github/dependabot.yml[16-50]

### Suggested remediation options
- If you only want to prevent *test fixture* version-update PRs, remove `open-pull-requests-limit: 0` and keep `exclude-paths`, so real manifests (if added outside `src/test/**`) can still get updates.
- If you truly want to disable version updates for these ecosystems repo-wide, keep `open-pull-requests-limit: 0` but add a short comment stating this is intentional and must be revisited if real manifests are added outside `src/test/**`.
- If these ecosystems are not used outside fixtures, consider removing these entries entirely to avoid inert configuration and re-add them only when/if real manifests are introduced.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@ruromero ruromero requested a review from a-oren April 13, 2026 14:21
@ruromero ruromero enabled auto-merge (squash) April 13, 2026 14:23
a-oren
a-oren approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@a-oren a-oren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ruromero ruromero merged commit 5023985 into guacsec:main Apr 13, 2026
38 checks passed
@ruromero ruromero deleted the dependabot-ignore-test-manifests branch April 13, 2026 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-oren a-oren a-oren approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ruromero @a-oren