Skip to content

feat: add Dependabot configuration #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DaleSeo wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add Dependabot configuration #241

DaleSeo wants to merge 2 commits into from

Conversation

@DaleSeo
Copy link
Member

@DaleSeo DaleSeo commented Oct 19, 2025

Summary

Adds Dependabot configuration to automate dependency updates for this repository.

Changes

  • Created .github/dependabot.yml with configuration for:
    • npm ecosystem updates (weekly on Mondays)
    • GitHub Actions updates (weekly on Mondays)
    • Grouped updates for Storybook, testing, ESLint, and React packages
  • Configured reasonable PR limits to prevent overwhelming the team

Benefits

  • Automated dependency updates to keep packages current
  • Reduced security vulnerabilities through timely updates
  • Grouped updates make reviews more manageable
  • Works seamlessly with Bun package manager

Closes #236

Generated with Claude Code

@github-actions @DaleSeo
feat: add Dependabot configuration for dependency updates
07ad272 
- Configure npm ecosystem updates (weekly on Mondays)
- Configure GitHub Actions updates (weekly on Mondays)
- Group related dependencies (Storybook, testing, ESLint, React)
- Limit open PRs to prevent overwhelming the team

Closes #236

Co-authored-by: Dale Seo <[email protected]>
@DaleSeo DaleSeo requested a review from a team as a code owner October 19, 2025 18:19
DaleSeo
DaleSeo commented Oct 19, 2025
View reviewed changes
.github/dependabot.yml Outdated
version: 2
updates:
# Enable version updates for npm (compatible with Bun)
- package-ecosystem: "npm"
Copy link
Member Author

@DaleSeo DaleSeo Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@claude We should use bun instead npm.

Copy link

@claude claude bot Oct 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude finished @DaleSeo's task —— View job

Analysis

  • Read the current Dependabot configuration
  • Research Dependabot support for Bun
  • Provide guidance on the configuration

Findings

Unfortunately, GitHub Dependabot does not currently support bun as a package-ecosystem value. The supported package ecosystems are:

  • bundler (Ruby)
  • cargo (Rust)
  • composer (PHP)
  • docker
  • elm
  • github-actions
  • gomod (Go)
  • gradle (Java)
  • maven (Java)
  • mix (Elixir)
  • npm (JavaScript/Node.js)
  • nuget (.NET)
  • pip (Python)
  • terraform
  • And a few others, but not bun

Good News

The current configuration using package-ecosystem: "npm" is actually correct and will work perfectly with Bun because:

  1. Bun is npm-compatible: Bun reads and respects package.json and package-lock.json (or bun.lockb) files
  2. Dependabot updates package.json: When Dependabot creates PRs, it modifies package.json, which Bun will use
  3. Standard practice: This is the recommended approach for Bun projects until GitHub adds native Bun support

Recommendation

Keep the current configuration as-is with package-ecosystem: "npm". The comment on line 3 already clarifies this: "Enable version updates for npm (compatible with Bun)".

When Dependabot creates update PRs, you can run bun install to update the bun.lockb file, and everything will work as expected.

Would you like me to update the comment to make it even clearer, or are you comfortable keeping it as-is?

@DaleSeo
Copy link
Member Author

DaleSeo commented Oct 19, 2025

#239 스토리북 업그레이드 완료 후에 Dependbot을 활성화 시키겠음

@DaleSeo
Copy link
Member Author

DaleSeo commented Nov 7, 2025

@claude We should use bun instead npm.

@claude
Copy link

claude bot commented Nov 7, 2025
edited
Loading

Claude finished @DaleSeo's task —— View job

Analysis

  • Read current Dependabot configuration
  • Verify current ecosystem setting
  • Provide clarification

Findings

Good news! I can see that the .github/dependabot.yml file has already been updated to use package-ecosystem: "bun" (line 3).

Current Configuration:

- package-ecosystem: "bun"
  directory: "/"
  schedule:
    interval: "weekly"
    day: "monday"

Important Note About Bun Support

While the configuration now uses "bun", I should mention that GitHub Dependabot's native support for Bun is relatively recent. According to GitHub's documentation, bun was added as a supported package ecosystem.

The current configuration looks correct and should work properly with your Bun-based project. Dependabot will:

  • Read your package.json
  • Create PRs to update dependencies
  • Work with Bun's lockfile (bun.lockb)

Summary

✅ The configuration is already using package-ecosystem: "bun" as requested
✅ No changes needed - the file is correctly set up for your Bun project

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@DaleSeo DaleSeo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependabot 셋업

2 participants

@DaleSeo