Enable Dependabot for NuGet and Docker#535
Open
naomizhengmsft wants to merge 1 commit into
Open
Conversation
naomizhengmsft
force-pushed
the
chore/enable-dependabot
branch
from
2d946c1 to
0778442
Compare
Adds .github/dependabot.yml so future NuGet package version bumps surface as
scheduled PRs.
Be precise about scope — this enables ONE of the three independent Dependabot
features on GitHub:
Enabled here: Dependabot version updates (scheduled, NuGet only).
Weekly Mon 06:00 PT.
NOT enabled here:
- Dependabot alerts (already on by default for public repos).
- Dependabot security updates (the reactive CVE-PR flow). That toggle
lives in Settings -> Code security -> "Dependabot security updates"
and is highly recommended as a separate follow-up — without it, CVE
patches still get PR'd, but only on the weekly cadence below instead
of within hours of advisory publication.
- Docker ecosystem coverage. The repo has two Dockerfiles
(root + .devcontainer) but base images are managed separately, so the
docker ecosystem blocks are intentionally omitted. Re-add them if/when
that policy changes.
Coverage of this file:
- NuGet: weekly, recursive scan from repo root (all 7 csproj across both
solutions). Minor and patch bumps grouped to keep PR volume sane;
majors still get individual PRs so breaking-change review stays
explicit.
No github-actions ecosystem block because the repo has no workflows yet.
Follow-up to SFI-ES5.2 remediation: the manual transitive pins in that PR
(Microsoft.Bcl.Memory, System.Net.Http, System.Text.RegularExpressions)
are now direct PackageReferences, so future patches to those will get
auto-PR'd by this config.
naomizhengmsft
force-pushed
the
chore/enable-dependabot
branch
from
0778442 to
0277957
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds .github/dependabot.yml so future OSS vulnerabilities surface as automatic PRs instead of requiring manual remediation.
Coverage:
No github-actions ecosystem block because the repo has no workflows yet.
Follow-up to SFI-ES5.2 remediation: prevents the next round of transitive-vuln PRs from needing to be opened by hand.