fix: set npm open-pull-requests-limit to 0 for security-only policy#192
fix: set npm open-pull-requests-limit to 0 for security-only policy#192don-petry wants to merge 3 commits into
Conversation
Resolves compliance finding: npm ecosystem had open-pull-requests-limit: 10 but policy requires 0 to suppress version updates (security PRs bypass this limit). Closes #173 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 55 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Dependabot configuration to align with the org’s “security-only” policy for application ecosystems (npm), while leaving GitHub Actions updates unaffected.
Changes:
- Set
open-pull-requests-limit: 0for thenpmecosystem to suppress routine version update PRs. - Kept
open-pull-requests-limit: 10for thegithub-actionsecosystem.
Automated review — APPROVEDRisk: LOW SummarySingle-line change to .github/dependabot.yml sets open-pull-requests-limit to 0 for the npm ecosystem, aligning with the org's security-only dependency policy. All CI checks pass (CodeQL, SonarCloud, build, tests, dependency audit), 0 new issues or security hotspots flagged. The triage escalation was caused by a triage-tier failure (triage-output-invalid), not a genuine security signal in this PR. FindingsInfo
CI statusAll status checks passed (AgentShield, build-and-test, CodeQL, SonarCloud, Node.js Tests, Playwright UI Tests, dependency audit, coverage). Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with |



Summary
open-pull-requests-limit: 0for thenpmecosystem in.github/dependabot.ymlgithub-actionsecosystem correctly retainsopen-pull-requests-limit: 10per policyStandard Reference
dependabot-policy.md: Application ecosystems (npm) should use
open-pull-requests-limit: 0for security-only policy.Closes #173
Generated with Claude Code