Problem
Dependabot currently generates 2× PRs per bump for dependencies present in workspaces (apps/web, packages/type-testing). Root cause: the groups block in .github/dependabot.yml lacks group-by: dependency-name, so the same dep in N workspaces → N PRs.
Result: 20 open PRs, ~17 are root/workspace duplicates.
Solution
- Add
group-by: dependency-name to both groups (production-dependencies + development-dependencies) in .github/dependabot.yml — collapses PRs on the next weekly run
- Enable auto-merge — Settings → General → "Allow auto-merge" + create
.github/workflows/dependabot-auto-merge.yml to auto-merge minor/patch Dependabot PRs after CI passes (excluding majors)
- Clean up the current stack — merge workspace PRs first, then close the duplicate root PRs
Acceptance Criteria
Related
Risks
- Low.
group-by is a one-line addition; the rest is manual cleanup.
- The auto-merge workflow requires "Allow auto-merge" enabled on the repo + branch protection on
main (verify this is already in place).
Problem
Dependabot currently generates 2× PRs per bump for dependencies present in workspaces (apps/web, packages/type-testing). Root cause: the
groupsblock in.github/dependabot.ymllacksgroup-by: dependency-name, so the same dep in N workspaces → N PRs.Result: 20 open PRs, ~17 are root/workspace duplicates.
Solution
group-by: dependency-nameto both groups (production-dependencies+development-dependencies) in.github/dependabot.yml— collapses PRs on the next weekly run.github/workflows/dependabot-auto-merge.ymlto auto-merge minor/patch Dependabot PRs after CI passes (excluding majors)Acceptance Criteria
group-by: dependency-nameadded → next Dependabot run generates ≤ 10 PRs (one per dep)versioning-strategyfor the published lib (packages/type-testing/) evaluated separatelyRelated
docs/internal/learnings/github/dependabot-pnpm-monorepo-2026.mdRisks
group-byis a one-line addition; the rest is manual cleanup.main(verify this is already in place).