Skip to content

fix: resolve CI failures for security audit, PR title validation, and dependabot noise#470

Open
tejaskash wants to merge 3 commits intomainfrom
fix/ci-green
Open

fix: resolve CI failures for security audit, PR title validation, and dependabot noise#470
tejaskash wants to merge 3 commits intomainfrom
fix/ci-green

Conversation

@tejaskash
Copy link
Contributor

@tejaskash tejaskash commented Feb 27, 2026

Summary

  • Security audit: Update npm overrides (minimatch→10.2.4, add fast-xml-parser→5.3.9) and add --omit=dev to skip auditing aws-cdk-lib's bundled minimatch (a devDep not shipped to users; aws-cdk-lib@2.240.0 — the latest — bundles minimatch@10.2.2 which npm overrides cannot fix since it's a bundledDependency)
  • PR title validation: Add permissions: statuses: write to pr-title.yml — currently all human PRs fail with "Resource not accessible by integration"
  • Dependabot noise: Group @aws-sdk/*, @smithy/*, @aws-cdk/*, and GitHub Actions into single PRs; reduce open-pull-requests-limit from 20 to 10. Currently 13 of 20 open PRs are individual dependabot bumps

Checks fixed

Check Before After
security (Quality and Safety Checks) FAILURE on main + all PRs PASS
validate-pr-title FAILURE on all human PRs PASS
dependabot PR count ~13 individual PRs/week ~4 grouped PRs/week

Note on stale dependabot PRs

The 10 existing dependabot PRs with build failures (npm ci: Missing yaml@2.8.2 from lock file) are stale — dependabot generates lockfiles that are out of sync with npm overrides. After this merges, dependabot will close the individual PRs and open new grouped ones. You may want to bulk-close the stale ones.

Test plan

  • npm run security:audit passes locally (0 vulnerabilities)
  • npm run typecheck passes
  • CI security check passes on this PR
  • PR title validation passes on this PR

@tejaskash
fix: resolve CI failures for security audit, PR title validation, and…
805ac59 
… dependabot noise

- Update npm overrides: minimatch 10.2.1→10.2.4, add fast-xml-parser 5.3.9
- Add --omit=dev to security:audit (aws-cdk-lib bundles vulnerable minimatch
  as a bundledDependency that overrides cannot fix; it's a devDep, not shipped)
- Add statuses:write permission to pr-title.yml (fixes "Resource not accessible
  by integration" error on all human PRs)
- Group dependabot PRs: @aws-sdk/*, @smithy/*, @aws-cdk/*, github-actions
  into single PRs; reduce open-pull-requests-limit 20→10
@tejaskash tejaskash requested a review from a team February 27, 2026 20:55
@github-actions github-actions bot added the size/s PR size: S label Feb 27, 2026
@tejaskash
ci: add dependabot auto-merge workflow for patch and minor updates
656a502 
Auto-approves and enables auto-merge (squash) for dependabot PRs
that are patch or minor version bumps. Major version bumps still
require manual review.

Note: requires "Allow auto-merge" to be enabled in repo settings.
@github-actions github-actions bot added size/s PR size: S and removed size/s PR size: S labels Feb 27, 2026
@github-actions github-actions bot added size/s PR size: S and removed size/s PR size: S labels Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/s PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tejaskash