Files
paperclip/.github
Devin Foley 69e513efe1 ci(dependabot): bundle npm patch/minor updates by dependency type (#7483)
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies
> - Dependabot keeps the JS/TS dependency tree up to date so the agents
and UI run on supported package versions
> - When a sibling package family shares peer dependencies (lexical core
+ `@lexical/*`, `@codemirror/*`, `@radix-ui/*`, `@assistant-ui/*`,
etc.), bumping one without the others leaves the lockfile with two
installed copies of the core package
> - That trips TypeScript: nodes from one version are not assignable to
types from the other, and the UI build fails — observed concretely on PR
#7330 (lexical 0.35 → 0.45) once PAPA-490 stopped masking it
> - The first cut (per-scope `groups` for each sibling-package family)
works but requires maintenance whenever a new scope is added
> - This pull request goes broader: it groups *all* npm patch/minor
updates by dependency type (production vs development), so any
sibling-package family is bundled regardless of scope
> - The benefit is a single weekly PR per dep type, no per-scope
maintenance, and no more partial peer bumps

## What Changed

- Replaced the lexical-specific `groups` entry with two type-based
groups in `.github/dependabot.yml`:
- `production-dependencies`: bundles all patch/minor `dependencies`
updates into one PR
- `development-dependencies`: bundles all patch/minor `devDependencies`
updates into one PR
- Majors continue to land as individual PRs (and are already ignored by
the existing `version-update:semver-major` rule).

## Verification

- After merge, the next Dependabot run (Monday 06:00 weekly, or on
`@dependabot recreate`) should open at most two new npm PRs —
`chore(deps): bump the production-dependencies group` and
`chore(deps-dev): bump the development-dependencies group` — each
combining many bumps. The existing per-package PRs (#7318–#7331) will be
closed and superseded by the grouped PRs.
- Sanity-check by inspecting the resulting lockfile diff: `lexical` and
`@lexical/link` should always move together to the same version.

## Risks

- Low risk for CI config itself. The trade-off is larger weekly PRs that
are harder to bisect when one bump breaks the batch — but Dependabot
also publishes per-package failure reports inside the grouped PR, so
triage stays tractable.
- If a future package genuinely needs to stay ungrouped (e.g. a noisy
one that breaks often), it can be moved out via `exclude-patterns` on
the group.

## Model Used

- Claude (Anthropic), claude-opus-4-7, tool-use enabled.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [ ] I have run tests locally and they pass — N/A, YAML-only CI config
change
- [ ] I have added or updated tests where applicable — N/A
- [ ] If this change affects the UI, I have included before/after
screenshots — N/A
- [ ] I have updated relevant documentation to reflect my changes — N/A
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
2026-06-03 23:16:04 -07:00
..