chore: Refactor dependabot configuration for npm updates

[CryptoFewka]

Summary by CodeRabbit

• Chores
  • Reorganized dependency update configuration to establish distinct update groups for ZetaChain and non-ZetaChain packages, with separate security update handling. Added pull request limits while maintaining security update priority.

[coderabbitai]

📝 Walkthrough

Walkthrough

Restructured Dependabot npm configuration to use a groups-based approach with separate version and security update schemas for ZetaChain packages and other dependencies. Converted labels formatting, added open-pull-requests-limit of 2, and replaced single directory field with multiple directories.

Changes

Cohort / File(s)	Change Summary
Dependabot Configuration Restructuring .github/dependabot.yml	Replaced single directory with multiple directories list, introduced top-level groups block defining zetachain-version, everything-else-version, zetachain-security, and everything-else-security groups with pattern-based include/exclude logic. Converted labels from list to single-line array. Added open-pull-requests-limit of 2. Included explanatory comments for each group.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "chore: Refactor dependabot configuration for npm updates" directly reflects the primary change in the pull request, which is a comprehensive refactoring of the .github/dependabot.yml file to reorganize npm update management through grouped versioning, pattern-based filtering, and updated constraints. The title is specific, concise, and uses appropriate conventional commit formatting with the "chore:" prefix for configuration changes. It clearly communicates the main purpose without vague language or unnecessary noise, allowing teammates to understand the change at a glance.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cryptofewka/expand-dependabot-coverage

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

28-30: Exclusion patterns are duplicated across groups.

The same three @zetachain/* packages are excluded in both everything-else-version (lines 28–30) and everything-else-security (lines 48–50). Consider documenting this duplication or extracting it to a shared constant/comment for maintainability.

Also applies to: 48-50

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6074eb6 and 6e88e4b.

📒 Files selected for processing (1)

• .github/dependabot.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (2)

.github/dependabot.yml (2)

7-13: Strong approach to grouping and clarity.

The restructured groups strategy is well-organized, separating ZetaChain packages from general dependencies and security updates from version updates. The explanatory comments and the PR limit note (line 13) make the intent clear.

---

4-5: Both "directory" (for a single path) and "directories" (for multiple paths) are supported in Dependabot configuration. The code correctly uses directories with a list containing the "/" root path, which is valid Dependabot syntax. No issue with the field name.

Likely an incorrect or invalid review comment.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

Clarify intentional asymmetry in update-types restrictions.

The zetachain-version group has no update-types restriction, allowing major updates. Meanwhile, everything-else-version restricts to minor/patch only. This asymmetry means ZetaChain packages receive major version bumps while other dependencies do not.

Please confirm this is intentional and aligns with your dependency management strategy.

---

I'll verify the context and intent of this configuration asymmetry.

---

🏁 Script executed:

#!/bin/bash
# Examine the full dependabot.yml file for context
cat .github/dependabot.yml

Length of output: 1365

---

🏁 Script executed:

#!/bin/bash
# Search for any documentation or comments related to dependency update strategy
rg -n -B2 -A2 "zetachain|update-types|dependency.*strateg" --type yaml --type md --type txt

Length of output: 3619

---

🏁 Script executed:

#!/bin/bash
# Check if there's a CONTRIBUTING or similar guide
find . -maxdepth 2 -type f \( -iname "CONTRIBUTING*" -o -iname "README*" -o -iname "DEPENDENCY*" \) | head -20

Length of output: 31

---

Document the rationale for asymmetric update-types policy.

The asymmetry is intentional: ZetaChain packages (@zetachain/*) are core dependencies and receive all update types (major/minor/patch), while third-party dependencies are restricted to minor/patch only. This aligns with the project's tight coupling to ZetaChain versions.

Add a clarifying comment above the zetachain-version group explaining this strategy so future maintainers understand the design decision:

      # 1) ZetaChain packages together (allow major updates—core to project)
      zetachain-version:

🤖 Prompt for AI Agents

.github/dependabot.yml lines 17-33: add a clarifying YAML comment immediately
above the `zetachain-version` group explaining the asymmetric update-types
policy; insert a single-line or block comment that says something like: "# 1)
ZetaChain packages together (allow major updates—core to project): ZetaChain
packages are core dependencies so we permit major/minor/patch updates, while
other third-party deps are limited to minor/patch." to make the rationale
explicit for future maintainers.