[Feature] Add GitHub Dependabot scanning (runs once a month) #46

2026-04-09T05:20:06+08:00

CaseyLabs commented

2026-04-09 05:20:06 +08:00

(Migrated from github.com)

Dependabot is GitHub’s built-in dependency update service. It monitors the dependency files in a repository, checks for newer or insecure versions, and opens pull requests to update them automatically.

It should be enabled because it reduces dependency drift, catches known vulnerable packages earlier, and keeps maintenance work small and routine instead of sporadic and risky.

For this repo specifically, it can keep Rust crates, GitHub Actions, and Docker base images current with low overhead, while the existing CI validates whether an update is safe to merge.

How to enable Dependabot:

Merge this PR into main
In the repo, go to Settings → Advanced Security.
Under Dependabot, enable all settings
Once the config file is on main, Dependabot should run immediately and then continue on its monthly schedule.

After enabled, view:

https://github.com/razvandimescu/numa/network/updates

Sample output:

https://github.com/CaseyLabs/numa-fork/pulls

Dependabot is GitHub’s built-in dependency update service. It monitors the dependency files in a repository, checks for newer or insecure versions, and opens pull requests to update them automatically. It should be enabled because it reduces dependency drift, catches known vulnerable packages earlier, and keeps maintenance work small and routine instead of sporadic and risky. For this repo specifically, it can keep Rust crates, GitHub Actions, and Docker base images current with low overhead, while the existing CI validates whether an update is safe to merge. **How to enable Dependabot:** - Merge this PR into `main` - In the repo, go to Settings → Advanced Security. - Under Dependabot, enable all settings - Once the config file is on `main`, Dependabot should run immediately and then continue on its monthly schedule. After enabled, view: - https://github.com/razvandimescu/numa/network/updates Sample output: - https://github.com/CaseyLabs/numa-fork/pulls

razvandimescu commented

2026-04-10 12:30:47 +08:00

(Migrated from github.com)

Thanks for this @CaseyLabs

I pushed one commit on top of yours that adds two things:

groups — bundles all minor/patch bumps per ecosystem into a single PR. Without this, ~30 cargo crates × monthly = 10+ PRs/month, which gets old fast. Majors still get individual PRs since they can break APIs.
commit-message prefix — chore(deps) to match the repo's conventional-commit style (fix:, refactor:, ci:, etc.).

I've also enabled the Security updates for this repo.

Thanks again for the contribution!

Thanks for this @CaseyLabs I pushed one commit on top of yours that adds two things: 1. **`groups`** — bundles all minor/patch bumps per ecosystem into a single PR. Without this, ~30 cargo crates × monthly = 10+ PRs/month, which gets old fast. Majors still get individual PRs since they can break APIs. 2. **`commit-message` prefix** — `chore(deps)` to match the repo's conventional-commit style (`fix:`, `refactor:`, `ci:`, etc.). I've also enabled the Security updates for this repo. Thanks again for the contribution!

CaseyLabs commented

2026-04-11 06:41:31 +08:00

(Migrated from github.com)

@razvandimescu - oh neat, I didn't know about the groups setting for dependabot. I've added it to my own git repo template now!

Repo template project link: https://github.com/CaseyLabs/kc-secure-repo-template

@razvandimescu - oh neat, I didn't know about the `groups` setting for dependabot. I've added it to my own git repo template now! Repo template project link: https://github.com/CaseyLabs/kc-secure-repo-template

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/numa#46