Skip to content

fix(ci): unblock Dependabot PRs and patch high-severity npm vulns #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
omerakben wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(ci): unblock Dependabot PRs and patch high-severity npm vulns #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/capstone-client"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
radix-ui:
patterns:
- "@radix-ui/*"
types:
patterns:
- "@types/*"
eslint:
patterns:
- "eslint*"
- "@eslint/*"
next:
patterns:
- "next"
- "eslint-config-next"
Comment on lines +15 to +22

@coderabbitai coderabbitai Bot May 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

eslint* glob shadows eslint-config-next in the next group — the two packages will be bumped separately.

Dependabot assigns each package to the first group whose pattern matches it. Because the eslint group (using eslint*) is declared before the next group, eslint-config-next is captured by eslint, not by next. This defeats the goal of keeping next and eslint-config-next on the same version, and risks peer-dependency mismatches when they land in separate PRs.

Fix: either narrow the eslint group's glob to exclude eslint-config-next, or move eslint-config-next to an explicit exclude/include:

🔧 Proposed fix 
      eslint:
        patterns:
          - "eslint*"
          - "@eslint/*"
+       exclude-patterns:
+         - "eslint-config-next"
      next:
        patterns:
          - "next"
          - "eslint-config-next"
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 15 - 22, The dependabot group pattern
"eslint*" in the eslint group is currently matching and stealing packages like
"eslint-config-next" from the next group; update the configuration so
"eslint-config-next" is handled by the next group instead of eslint: either
narrow the eslint group's pattern (replace "eslint*" with a more specific
pattern that does not match "eslint-config-next") or explicitly exclude
"eslint-config-next" from the eslint group and/or explicitly include it in the
next group; adjust the patterns for the eslint and next groups (referencing the
"eslint" group, pattern "eslint*", and the "next" group, pattern
"eslint-config-next") accordingly so Dependabot assigns the package to the
correct group.

Comment on lines +17 to +22

@chatgpt-codex-connector chatgpt-codex-connector Bot May 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep eslint-config-next out of the generic eslint group

Because Dependabot assigns a dependency to the first matching group, eslint-config-next will match eslint* under the eslint group before it can reach the next group. That means next and eslint-config-next updates will be split into separate PRs even though this config appears intended to update them together, which can create avoidable CI breakage from version skew between Next and its lint config.

Useful? React with 👍 / 👎.


- package-ecosystem: "pip"
directory: "/capstone-server"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
django:
patterns:
- "Django"
- "django-*"
- "djangorestframework"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
18 changes: 11 additions & 7 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:
- main

env:
NODE_VERSION: "18"
NODE_VERSION: "20"
PYTHON_VERSION: "3.12"
Comment on lines 12 to 14

jobs:
Expand Down Expand Up @@ -41,24 +41,28 @@ jobs:

- name: Check Django configuration
env:
SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY || 'ci-test-secret-key-not-for-production-use-only' }}
DEBUG: "True"
ALLOWED_HOSTS: "localhost,127.0.0.1"
ALLOWED_HOSTS: "localhost,127.0.0.1,testserver"
Comment on lines 42 to +46
DEMO_MODE: "True"
run: |
Comment on lines 45 to 48
python manage.py check

- name: Run migrations (dry run)
- name: Check for missing migrations
env:
SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY || 'ci-test-secret-key-not-for-production-use-only' }}
DEBUG: "True"
ALLOWED_HOSTS: "localhost,127.0.0.1,testserver"
DEMO_MODE: "True"
run: |
python manage.py migrate --check
python manage.py makemigrations --check --dry-run

- name: Run tests
env:
SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY || 'ci-test-secret-key-not-for-production-use-only' }}
DEBUG: "True"
ALLOWED_HOSTS: "localhost,127.0.0.1,testserver"
DEMO_MODE: "True"
run: |
python manage.py test

Expand Down
Loading
Loading