Merge pull request #2703 from Shopify/reduce-dependabot-maintenance

byrichardpowell · web-flow · commit d08f8bc78ec9 · 2025-09-02T10:30:38.000-04:00
Reduce dependabot maintenance costs
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,12 +10,25 @@ updates:
     directory: '/'
     # Check the npm registry for updates every day (weekdays)
     schedule:
-      interval: 'daily'
+      interval: 'weekly'
     # Dependabot defaults to 5 open pull requests at a time
     open-pull-requests-limit: 100
+    # ignore versions already covered by a range
+    # e.g: ^1.2.3 -> 1.2.4, would be ignored
+    versioning-strategy: increase-if-necessary
+
+    # Cooldown is the number of days after a release to wait until opening a PR
+    # This gives us more confidence changes can be merged because changes have been community tested.
+    # See: https://github.blog/changelog/2025-07-01-dependabot-supports-configuration-of-a-minimum-package-age/
+    cooldown:
+      default-days: 14
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 14
 
-    # Group together PRs of interdependant packages
     groups:
+
+      # Group together PRs of interdependant packages
       aws-sdk:
         patterns:
           - '@aws-sdk/client-dynamodb'
@@ -30,3 +43,21 @@ updates:
         patterns:
           - 'prisma'
           - '@prisma/client'
+      jest-core:
+        patterns:
+          - 'jest'
+          - 'jest-circus'
+      react:
+        patterns:
+          - 'react'
+          - 'react-dom'
+
+      # Group all patch updates not accounted for in prior groups in a single PR.
+      # This reduces the number of PRs to review and rebase.
+      # We skip development dependencies because those are auto-merged by .github/workflows/dependabot_auto_merge.yml
+      patch-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+        dependency-type: "production"
