chore(deps): Bump dependabot/fetch-metadata from 2.4.0 to 2.5.0#880
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
chore(deps): Bump dependabot/fetch-metadata from 2.4.0 to 2.5.0#880dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
Contributor
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
|
Here's the code health analysis summary for commits Analysis Summary
|
diffray
bot
added
diffray-review-failed
Owner
|
Closing: duplicate of renovate PR #879 (same update). Consolidating to renovate-only for dependency management. |
rjmurillo
deleted the
dependabot/github_actions/dependabot/fetch-metadata-2.5.0
branch
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
5 tasks
rjmurillo
added a commit
that referenced
this pull request
Feb 21, 2026
…915) ## Summary - Disable dependabot for NuGet, consolidate to renovate-only - Consolidate 4 overlapping auto-approve/merge workflows into 1 - Update renovate.json with proper package grouping and exclusion rules - Add `docs/dependency-management.md` documenting package categories and upgrade policies ## Problem Both dependabot and renovate created duplicate PRs for every NuGet update. Dependabot NuGet PRs used "Bump X from A to B" titles that failed the required "Validate PR title" check (conventional commits required), so they could never auto-merge. Four overlapping auto-approve/merge workflows competed with each other, one of which had a broken step referencing a nonexistent step output (`steps.cpr.outputs`). ## Changes ### Dependabot config (`.github/dependabot.yml`) Removed the `nuget` ecosystem. Retained `github-actions` ecosystem (dependabot's fetch-metadata action provides update-type classification for major version gating). ### Workflow consolidation Deleted 3 workflows, kept and expanded 1: - **Deleted:** `auto-approve-and-merge-renovate.yml`, `dependabot-auto-approve.yml`, `dependabot-auto-merge.yml` - **Kept:** `dependabot-approve-and-auto-merge.yml` with separate jobs for dependabot and renovate ### Renovate config (`renovate.json`) - Added `ignoreDeps` for `Microsoft.CodeAnalysis.*` core packages (same policy as former dependabot ignore list) - Grouped `BenchmarkDotNet` + `Perfolizer` as `benchmark-tooling` with `automerge: false` (coordinated updates required due to transitive dependency constraints) - Disabled `System.CommandLine` and `System.CommandLine.Rendering` updates until PerfDiff rewrite (#914) ### Documentation New `docs/dependency-management.md` covers: - Package categories (shipped, build-time, test, benchmark, tools, infrastructure) - Upgrade policies per category - The VersionOverride pattern for non-shipped projects - Lessons from the CS8032/SCI incident (#850) ## Bot PR cleanup performed | Action | PRs | |--------|-----| | Closed (dependabot duplicates) | #903, #902, #890, #880, #909 | | Closed (superseded) | #877 (Meziantou 2.0.302, superseded by 3.x) | | Closed (build failures) | #834 (BenchmarkDotNet), #832 (Perfolizer) | | Closed (PerfDiff breakage) | #821 (dotnet monorepo) | | Merged | #878, #882, #881, #879, #883, #884 | ## Validation - `dotnet build /p:PedanticMode=true`: 0 warnings, 0 errors - `dotnet format`: no changes needed - Tests cannot run locally (machine has .NET 10 only, test TFM is net8.0); CI will validate ## Test plan - [ ] CI build passes - [ ] All tests pass - [ ] No new bot PRs from dependabot for NuGet packages - [ ] Renovate correctly picks up future dependency updates - [ ] Auto-approve/merge workflow fires for new renovate PRs 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Consolidated dependency-update process: moved NuGet management to Renovate, removed several automated auto-approve/auto-merge workflows for bot PRs, and adjusted automerge/approval behavior and rules. * Renovate configuration updated with new groups, ignore lists, and automerge adjustments. * **Documentation** * Added a dependency management guide detailing categories, upgrade policies, configuration patterns, and workflow recommendations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps dependabot/fetch-metadata from 2.4.0 to 2.5.0.
Release notes
Sourced from dependabot/fetch-metadata's releases.
Commits
21025c7v2.5.0252291cMerge pull request #647 from dependabot/dependabot/npm_and_yarn/modelcontextp...fa144c9chore: Migrate jest expectation function33c7a0bbug: Mock PR body in test99c27adBump@modelcontextprotocol/sdkfrom 1.11.2 to 1.24.03837dccMerge pull request #645 from dependabot/dependabot/npm_and_yarn/express-5.2.1d411582Bump express from 5.1.0 to 5.2.1186ccbbMerge pull request #644 from dependabot/dependabot/npm_and_yarn/js-yaml-3.14.284c891eBump js-yaml from 3.14.1 to 3.14.24542092Merge pull request #648 from dependabot/dependabot/github_actions/actions/cre...You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)