build(deps): bump webpack from 5.103.0 to 5.105.0 in /Legacy/old-codebase-artifacts/arkivermj#335
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [webpack](https://github.com/webpack/webpack) from 5.103.0 to 5.105.0. - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.103.0...v5.105.0) --- updated-dependencies: - dependency-name: webpack dependency-version: 5.105.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
MightyPrytanis
approved these changes
Feb 7, 2026
MightyPrytanis
added a commit
that referenced
this pull request
Feb 21, 2026
…ies (#372) Fixes Dependabot scanning legacy/archived code by adding `exclude-paths` configuration to prevent dependency update PRs in frozen directories. ## Problem PR #335 showed that Dependabot was creating PRs for dependencies in `/Legacy/old-codebase-artifacts/arkivermj/`, proving that simply listing explicit directories was insufficient. Dependabot scans ALL directories in the repository by default, not just the ones listed in `directory` fields. ## Changes **`.github/dependabot.yml`** - Added functional `exclude-paths` configuration: - **exclude-paths added** - All 7 update entries now include: ```yaml exclude-paths: - "Legacy/**" - "archive/**" ``` - **Updated documentation** - Header now explains the use of `exclude-paths` feature - **Active directories** - Lists 7 scanned paths (`/Cyrano`, `/apps/lexfiat`, `/apps/arkiver`, etc.) - **Excluded paths** - `Legacy/**` and `archive/**` patterns block all legacy code ## Technical Details This uses GitHub's `exclude-paths` feature (added August 2025) to actually prevent Dependabot from scanning manifest files in specified paths. Unlike the `ignore` directive (which ignores specific dependencies), `exclude-paths` prevents scanning entire directory trees. This will prevent future PRs like #335 from being created for archived/frozen code. ```yaml # Dependabot configuration for Cyrano ecosystem # Uses exclude-paths to prevent scanning /Legacy/ and /archive/ directories # # Active directories (scanned for dependency updates): # - /Cyrano (MCP server and core modules) # - /Cyrano/auth-server (authentication service) # ... # # Excluded paths (NOT scanned, frozen): # - Legacy/** (all archived legacy code) # - archive/** (all archive directories) ``` <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > ## Problem Statement > > We need to prevent Dependabot from updating dependencies in archived/legacy code that should remain frozen. This includes: > > 1. **Legacy directories in the monorepo** - Any directories under `/Legacy/` or `/archive/` paths should not receive dependency updates > 2. **Standalone repositories** - The following standalone repos should have Dependabot disabled entirely: > - MightyPrytanis/SwimMeet > - MightyPrytanis/LexFiat > - MightyPrytanis/Cyrano > - MightyPrytanis/Annunciator > > ## Required Changes > > ### For MightyPrytanis/codebase repository: > > Update `.github/dependabot.yml` to add `ignore` conditions to each package ecosystem configuration. Add the following ignore block to each update entry: > > ```yaml > ignore: > # Ignore all dependencies in legacy/archive paths > - dependency-name: "*" > update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"] > ``` > > However, note that Dependabot's `ignore` configuration only ignores specific dependencies, not paths. Since the current configuration already uses explicit directory targeting (only `/Cyrano`, `/apps/lexfiat`, `/apps/arkiver`, etc.), and does NOT include `/Legacy/` paths, these are already effectively excluded. > > The more important issue is that there's a `/Legacy/SwimMeet/` directory in the monorepo that should be explicitly documented as excluded. > > Update the comment at the top to clarify: > ```yaml > # Dependabot configuration for Cyrano ecosystem > # Scans only active development directories > # Explicitly excludes: /Legacy/, /archive/, and any archived code > ``` > > ### For standalone repositories: > > Create `.github/dependabot.yml` files (if they exist) in each standalone repo and set them to disabled, OR delete existing dependabot.yml files to disable Dependabot entirely. > > For each of these repos: > - MightyPrytanis/SwimMeet > - MightyPrytanis/LexFiat > - MightyPrytanis/Cyrano > - MightyPrytanis/Annunciator > > **Note:** Based on the checks, these repos either don't have Dependabot configurations or are not accessible. Since this PR is for the `codebase` monorepo, focus on documenting that the legacy code in `/Legacy/` is excluded. > > ### Final Solution for codebase repo: > > Update `.github/dependabot.yml` to: > 1. Improve the header comment to explicitly state what's excluded > 2. Keep the existing explicit directory configuration (which already excludes Legacy) > 3. Optionally add a comment section listing explicitly excluded directories for documentation > > The current configuration is already correct in that it only targets active directories, but the documentation should be clearer. </details> <!-- START COPILOT CODING AGENT SUFFIX --> *This pull request was created from Copilot chat.* > <!-- START COPILOT CODING AGENT TIPS --> --- ✨ Let Copilot coding agent [set things up for you](https://github.com/MightyPrytanis/codebase/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
bot
deleted the
dependabot/npm_and_yarn/Legacy/old-codebase-artifacts/arkivermj/webpack-5.105.0
branch
Owner
|
@dependabot it isn't that this release isn't valuable; its that the directory you targeted is legacy/archive and meant to be static–it's. no longer active or being updated |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps webpack from 5.103.0 to 5.105.0.
Release notes
Sourced from webpack's releases.
... (truncated)
Changelog
Sourced from webpack's changelog.
... (truncated)
Commits
1486f9achore(release): new release1a517f6feat: added thetsconfigoption for theresolveroptions (#20400)7b3b0f7feat: supportimport.defer()for context modulesc4a6a92refactor: more types and increase types coverage5ecc58dfeat: consider asset module as side-effect-free (#20352)cce0f69test: avoid comma operator in BinaryMiddleware test (#20398)cd4793dfeat: support import specifier guard (#20320)fe48655docs: update examples (#20397)de107f8fix(VirtualUrlPlugin): set resourceData.context to avoid invalid fallback (#2...a656ab1test: add self-import test case for dynamic import (#20389)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.