Skip to content

fix: set npm open-pull-requests-limit to 0 for security-only policy#192

Closed
don-petry wants to merge 3 commits into
mainfrom
claude/issue-173-20260414-1149
Closed

fix: set npm open-pull-requests-limit to 0 for security-only policy#192
don-petry wants to merge 3 commits into
mainfrom
claude/issue-173-20260414-1149

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Sets open-pull-requests-limit: 0 for the npm ecosystem in .github/dependabot.yml
  • This suppresses routine version-update PRs while still allowing security-alert-triggered PRs (which bypass the limit)
  • github-actions ecosystem correctly retains open-pull-requests-limit: 10 per policy

Standard Reference

dependabot-policy.md: Application ecosystems (npm) should use open-pull-requests-limit: 0 for security-only policy.

Closes #173

Generated with Claude Code

Resolves compliance finding: npm ecosystem had open-pull-requests-limit: 10
but policy requires 0 to suppress version updates (security PRs bypass this limit).

Closes #173

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 11:49
@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1a0fb097-5a34-48c2-9040-a9917a609c34

📥 Commits

Reviewing files that changed from the base of the PR and between 56ee75a and d0e3058.

📒 Files selected for processing (1)
  • .github/dependabot.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-173-20260414-1149

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Dependabot configuration to align with the org’s “security-only” policy for application ecosystems (npm), while leaving GitHub Actions updates unaffected.

Changes:

  • Set open-pull-requests-limit: 0 for the npm ecosystem to suppress routine version update PRs.
  • Kept open-pull-requests-limit: 10 for the github-actions ecosystem.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Automated review — APPROVED

Risk: LOW
Reviewed commit: 2529759c28f3d91782c14d4b1618b101eaf1eb36
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line change to .github/dependabot.yml sets open-pull-requests-limit to 0 for the npm ecosystem, aligning with the org's security-only dependency policy. All CI checks pass (CodeQL, SonarCloud, build, tests, dependency audit), 0 new issues or security hotspots flagged. The triage escalation was caused by a triage-tier failure (triage-output-invalid), not a genuine security signal in this PR.

Findings

Info

  • .github/dependabot.yml:7 — open-pull-requests-limit: 0 disables routine version-update PRs for npm; security-alert PRs bypass this limit per Dependabot docs — behavior is intentional and policy-compliant.
  • CI — All status checks passed: AgentShield, build-and-test, CodeQL (actions/js-ts/python), SonarCloud (Quality Gate passed, 0 security hotspots), Node.js Tests, Playwright UI Tests, dependency audit, coverage.

CI status

All status checks passed (AgentShield, build-and-test, CodeQL, SonarCloud, Node.js Tests, Playwright UI Tests, dependency audit, coverage).


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Note: approval skipped — cannot approve own PR; posting verdict as comment.

@don-petry don-petry enabled auto-merge (squash) April 16, 2026 21:39

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: approval skipped — cannot approve own PR; posting verdict as comment.

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: approval skipped — cannot approve own PR; posting verdict as comment.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing as duplicate of #211 — same fix for issue #192. The newest attempt is kept open.

@don-petry don-petry closed this May 3, 2026
auto-merge was automatically disabled May 3, 2026 15:01

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: wrong-limit-npm

2 participants