chore(deps): apply estate dependabot policy — ignore semver-major (standards#301) by hyperpolymath · Pull Request #153 · hyperpolymath/ambientops

hyperpolymath · 2026-05-30T18:49:57Z

Summary

Adds the canonical estate ignore: dependency-name "*" version-update:semver-major block to each non-github-actions ecosystem entry in .github/dependabot.yml
9 entries get the ignore (5 cargo: root + czech-file-knife + panoptes + personal-sysadmin + displace; mix; npm; pip; nix). github-actions is left as-is per estate doc — SHA pins make action majors safe.
Brings ambientops into conformance with standards#301 / docs/DEPENDABOT-POLICY.adoc

Context

Per the 2026-05-29 echidna incident (#120-#124 broke main for ~24h), unattended dependabot semver-major merges fly through the estate validation gates (K9 / A2ML / language-policy) but break the actual compile gates on subsequent pushes. Estate policy now: majors land via author-supplied PRs paired with call-site updates.

This PR closes 7 risky in-flight dependabot PRs as superseded:

chore(deps): bump reqwest from 0.12.28 to 0.13.4 #147 reqwest 0.12.28→0.13.4 (0.x minor breaking)
chore(deps): bump config from 0.14.1 to 0.15.23 #145 config 0.14.1→0.15.23 (0.x minor breaking, multi-version)
chore(deps): bump symphonia from 0.5.5 to 0.6.0 in /panoptes #144 symphonia 0.5.5→0.6.0 (0.x minor breaking)
chore(deps): bump thiserror from 1.0.69 to 2.0.18 in /panoptes #146 thiserror 1.0.69→2.0.18 (major)
chore(deps): bump colored from 2.2.0 to 3.1.1 #142 colored 2.2.0→3.1.1 (major)
chore(deps): bump rusqlite from 0.31.0 to 0.40.0 in /panoptes #136 rusqlite 0.31.0→0.40.0 (0.x huge jump)
chore(deps): bump nix from 0.30.1 to 0.31.3 in /personal-sysadmin #135 nix 0.30.1→0.31.3 (0.x minor breaking)

Each needs a paired code-side migration that hasn't been done; this PR parks them safely via the canonical policy.

Test plan

dependabot config check passes (YAML valid)
CI green (existing gates)
After merge, dependabot does not re-file the 7 closed PRs

…andards#301) Adds the canonical ignore block: - dependency-name: "*" update-types: ["version-update:semver-major"] to each non-github-actions ecosystem entry (9 entries: 5 cargo + mix + npm + pip + nix). Estate policy standards#301 (docs/DEPENDABOT-POLICY.adoc) requires this shape after the 2026-05-29 echidna #120-#124 incident where 5 unattended major bumps broke main for ~24h. Major bumps should land via author-supplied PRs paired with call-site updates; minor + patch continue to flow via dependabot. Supersedes the existing per-library risky bumps: - #147 reqwest 0.12→0.13 - #145 config 0.14→0.15 - #144 symphonia 0.5→0.6 - #136 rusqlite 0.31→0.40 (will close) - #135 nix 0.30→0.31 - #146 thiserror 1→2 - #142 colored 2→3

github-actions · 2026-05-31T09:22:48Z

🔍 Hypatia Security Scan

Findings: 121 issues detected

Severity	Count
🔴 Critical	29
🟠 High	40
🟡 Medium	52

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in boj-build.yml",
    "type": "missing_timeout_minutes",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in guix-nix-policy.yml",
    "type": "missing_timeout_minutes",
    "file": "guix-nix-policy.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

hyperpolymath enabled auto-merge (squash) May 30, 2026 18:50

hyperpolymath merged commit 5b40aba into main May 30, 2026
21 of 23 checks passed

hyperpolymath deleted the claude/dependabot-policy-conformance branch May 30, 2026 18:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): apply estate dependabot policy — ignore semver-major (standards#301)#153

chore(deps): apply estate dependabot policy — ignore semver-major (standards#301)#153
hyperpolymath merged 1 commit into
mainfrom
claude/dependabot-policy-conformance

hyperpolymath commented May 30, 2026

Uh oh!

Uh oh!

github-actions Bot commented May 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

hyperpolymath commented May 30, 2026

Summary

Context

Test plan

Uh oh!

Uh oh!

github-actions Bot commented May 31, 2026

🔍 Hypatia Security Scan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant