Enable Dependabot for npm, pip, and GitHub Actions (weekly updates, grouped, reviewer added)

[SxxAq]

Summary

• What: Add repository Dependabot configuration at dependabot.yml.
• Key changes: enable npm, pip, and github-actions updates; weekly schedule; set open-pull-requests-limit: 5; add reviewers: [mariobehling]; add grouping rules for common frontend and core Python packages.

Details

• File: dependabot.yml
• Ecosystems: npm, pip, github-actions
• Schedule: weekly (separate days for each ecosystem)
• PR limit: 5 open dependabot PRs per ecosystem
• Grouping:
  • frontend group (React / d3 / three / jquery / react-grid-layout, etc.) for npm minor/patch updates
  • core-python group (numpy, scipy, requests, tornado, networkx, pillow*) for pip minor/patch updates
  • devdeps group for development dependencies
• Reviewer: Dependabot PRs will request review from mariobehling

Testing & verification

• YAML lint: file validated as YAML (recommended to run a YAML linter if desired).
• Runtime verification: after pushing to remote, GitHub will activate Dependabot and will begin creating PRs according to the schedule (watch the repository's Security → Dependabot page and PR list).
• No runtime impact: this is repository metadata only — no functional code changes.

Summary by Sourcery

Add Dependabot configuration to manage automated dependency updates across npm, pip, and GitHub Actions with weekly schedules and limited concurrent PRs.

CI:

• Configure Dependabot for npm, pip, and GitHub Actions with weekly update schedules and an open pull request limit per ecosystem.

Chores:

• Define dependency grouping rules and default reviewer for automated dependency update pull requests.

Ref #954

[sourcery-ai]

Reviewer's Guide

.github/dependabot.yml is added to configure Dependabot for npm, pip, and GitHub Actions with weekly, rate-limited, and grouped updates plus a default reviewer.

File-Level Changes

Change	Details	Files
Add Dependabot configuration for npm dependencies with weekly updates, PR limits, labels, reviewer, security updates, and grouping rules.	Configure npm ecosystem at repository root with weekly schedule on Sunday at 04:00 and a limit of 5 open Dependabot PRs. Apply labels "dependencies" and "npm" and automatically request reviews from user mariobehling for Dependabot PRs. Enable security-updates for npm and define a frontend group targeting common frontend libraries (React variants, d3-*, three, jquery) restricted to minor and patch updates. Define a devdeps group for npm development dependencies using dependency-type: development.	.github/dependabot.yml
Add Dependabot configuration for pip dependencies with weekly updates, PR limits, labels, reviewer, security updates, and grouping rules.	Configure pip ecosystem at repository root with weekly schedule on Monday at 04:00 and a limit of 5 open Dependabot PRs. Apply labels "dependencies" and "python" and automatically request reviews from user mariobehling for Dependabot PRs. Enable security-updates for pip and define a core-python group for key libraries (numpy, scipy, requests, tornado, networkx, pillow*) restricted to minor and patch updates. Define a devdeps group for pip development dependencies using dependency-type: development.	.github/dependabot.yml
Add Dependabot configuration for GitHub Actions with weekly updates, PR limits, labels, reviewer, and security updates.	Configure github-actions ecosystem at repository root with weekly schedule on Tuesday at 04:00 and a limit of 5 open Dependabot PRs. Apply labels "dependencies" and "github-actions" and automatically request reviews from user mariobehling for Dependabot PRs. Enable security-updates for GitHub Actions without additional grouping rules.	.github/dependabot.yml

Possibly linked issues

• #Configure Dependabot version updates for the visdom repository: PR introduces .github/dependabot.yml with weekly npm, pip, and GitHub Actions updates, fulfilling the Dependabot configuration issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• In the npm frontend group, the combination of react* and react-* is redundant and may unintentionally catch unrelated packages (e.g., reactive-*); consider tightening these patterns to only the specific React packages you care about.
• The pillow* pattern in the core-python group may not be necessary unless you intentionally expect multiple similarly named forks or extras; if you only mean the main pillow package, using the exact name will make the grouping behavior clearer.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the npm `frontend` group, the combination of `react*` and `react-*` is redundant and may unintentionally catch unrelated packages (e.g., `reactive-*`); consider tightening these patterns to only the specific React packages you care about.
- The `pillow*` pattern in the `core-python` group may not be necessary unless you intentionally expect multiple similarly named forks or extras; if you only mean the main `pillow` package, using the exact name will make the grouping behavior clearer.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR adds a Dependabot configuration to automatically manage npm, pip, and GitHub Actions dependency updates on a weekly schedule, with grouping and reviewer defaults.

Changes:

• Introduces .github/dependabot.yml with version: 2 and three updates blocks for npm, pip, and github-actions.
• Configures weekly schedules on different days, limits open Dependabot PRs to 5 per ecosystem, and assigns mariobehling as reviewer for all Dependabot PRs.
• Adds grouping rules for frontend-related npm packages, core Python libraries, and development dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.