chore: Add a dependabot.yml to better configure its behavior by hsubox76 · Pull Request #9620 · firebase/firebase-js-sdk

hsubox76 · 2026-03-04T16:39:59Z

See https://docs.github.com/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file

This allows configuring dependabot beyond the Github defaults. I'm using this to exclude the auth demo packages as they aren't used in production and are cluttering up dependabot PRs. (We use both Renovate and Dependabot - we've already excluded these directories in the Renovate config.)

changeset-bot · 2026-03-04T16:40:15Z

⚠️ No Changeset found

Latest commit: 6051683

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

gemini-code-assist · 2026-03-04T16:41:14Z

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a dependabot.yml file to customize Dependabot's behavior, primarily to reduce noise from non-production demo packages by excluding them from dependency updates. It also ensures that GitHub Actions used in the repository are kept up-to-date, streamlining the dependency management process.

Highlights

Dependabot Configuration Added: A new dependabot.yml file has been introduced to the .github directory, enabling custom configuration for Dependabot's dependency update behavior.
NPM Dependency Management: Dependabot is now configured to monitor npm package dependencies across various project directories, including the root, packages/*, integration/*, e2e/*, and repo-scripts/**/*.
Exclusion of Demo Packages: Specific authentication-related demo packages (e.g., /packages/auth/demo, /packages/auth/cordova/demo, /packages/auth-compat/demo) have been explicitly excluded from npm dependency updates to reduce irrelevant pull requests.
GitHub Actions Updates: The configuration also includes daily checks for updates to GitHub Actions used within the repository.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

.github/dependabot.yml
- Added a new Dependabot configuration file.

Activity

No specific activity details were provided in the context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

The pull request introduces a dependabot.yml file to configure Dependabot, specifically to exclude demo packages from dependency updates and to manage GitHub Actions dependencies. This configuration aligns with the stated goal of reducing noise from non-production dependencies and provides better control over Dependabot's behavior.

.github/dependabot.yml

* build(deps): bump underscore in /packages/auth/demo/functions (#9617) Bumps [underscore](https://github.com/jashkenas/underscore) from 1.13.6 to 1.13.8. - [Commits](jashkenas/underscore@1.13.6...1.13.8) --- updated-dependencies: - dependency-name: underscore dependency-version: 1.13.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump fast-xml-parser (#9616) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 4.3.5 to 4.5.4. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.3.5...v4.5.4) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 4.5.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump fast-xml-parser in /packages/auth/demo/functions (#9615) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 4.3.5 to 4.5.4. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.3.5...v4.5.4) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 4.5.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump minimatch in /packages/auth-compat/demo (#9601) Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.5. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.0.4...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump minimatch in /packages/rules-unit-testing/functions (#9595) Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.4. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.4) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update peter-evans/create-or-update-comment digest to e2426b4 (#9579) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): bump minimatch in /packages/auth/demo/functions (#9592) Bumps [minimatch](https://github.com/isaacs/minimatch) from 5.1.6 to 5.1.7. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v5.1.6...v5.1.7) --- updated-dependencies: - dependency-name: minimatch dependency-version: 5.1.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump axios from 1.7.9 to 1.13.5 (#9574) Bumps [axios](https://github.com/axios/axios) from 1.7.9 to 1.13.5. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.7.9...v1.13.5) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump ajv in /packages/auth-compat/demo (#9585) Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.12.6 to 6.14.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump fast-xml-parser (#9607) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 4.3.2 to 4.5.4. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.3.2...v4.5.4) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 4.5.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump basic-ftp from 5.0.5 to 5.2.0 (#9598) Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.0.5 to 5.2.0. - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.0.5...v5.2.0) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup in /packages/auth-compat/demo (#9599) Bumps [rollup](https://github.com/rollup/rollup) from 2.79.1 to 2.80.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v2.80.0/CHANGELOG.md) - [Commits](rollup/rollup@v2.79.1...v2.80.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 2.80.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Add a dependabot.yml to better configure its behavior (#9620) * firestore: improve documentation about CRUD promises and when they resolve (#8887) * fix: Workaround rollup terser-plugin's inconsistent property naming when using multiple entry points (#9622) * fix: Workaround rollup terser-plugin's inconsistent property naming when using multiple entrypoints * Create spotty-hornets-thank.md * Update rollup.config.lite.js Removed the `-[hash]` from the intermediate builds on the lite pipelines, both for consistency and to limit the amount of extraneous files created. * Bump firebase package dependency versions * OTEL Tracing Initial Commit * Tracing * Debugging * Cleanup * Local debug cleanup * Linter suggested fixes * Yarn format fix * More docgen and format updates * Fixes from yarn test * Yarn lint fixes * More yarn docgen:all fixes * Modify otlp exporter * Lint fixes * Removing unused dynamic header for now * Renaming * Removing node tracing for now * yarn format * Move tracing provider away from node * Updating otel dependencies * format * Updating otel dependencies * Remove fetch and user interaction libaries * Removing node tracing * format * Crashlytics tracing onboarding improvements (#9587) * modify tracing branch with different crashoption names * Updates so that folks can dev locally * Remove package bump * replace loggingUrl with endpointUrl * yarn format * Modify which tracing instrumentation we use * Attempt to remove dependency error triggered by document load library --------- Co-authored-by: Chris Chestnut <[email protected]> * Crash tracing rebase (#9600) * Refactor Github Action per b/485167538 (#9555) Co-authored-by: Ben Knutson <[email protected]> * build(deps): bump lodash in /packages/auth-compat/demo/functions (#9482) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump lodash in /packages/auth-compat/demo (#9464) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump lodash in /packages/rules-unit-testing/functions (#9463) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump lodash in /packages/auth/demo/functions (#9466) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update dependency webpack-dev-server to v5.2.1 [security] (#9078) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update google-github-actions/auth digest to fc21748 (#8879) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#9465) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Remove health metrics workflows (#9571) * feat(ai): Automatic function calling (#9489) * Updating otel dependencies * format * Updating otel dependencies * Remove fetch and user interaction libaries * Removing node tracing * format * Update angular example to modern standards (#9583) * chore(deps): update dependency @rollup/plugin-strip to v3 (#8745) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update dependency @rollup/plugin-virtual to v3 (#8771) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Use environment for wdr tokens (#9578) * use environment for wdr tokens * missed a file * fix(deps): update dependency @rushstack/node-core-library to v5 (#8816) * fix(deps): update dependency @rushstack/node-core-library to v5 * Fix method name --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Christina Holland <[email protected]> * Update logs endpoint w/ location (fixed to `global` for now) --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Google Admin <[email protected]> Co-authored-by: Ben Knutson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Christina Holland <[email protected]> Co-authored-by: Anit Das <[email protected]> Co-authored-by: Anthony Barone <[email protected]> Co-authored-by: Morgan Chen <[email protected]> * add code owners for crashlytics (#9707) * Revert "add code owners for crashlytics (#9707)" (#9711) This reverts commit e8ca524. * Merge latest changes from main into crashlytics (#9741) * Rebase crashlytics on top of main * Update crashlytics package.json's firebase dependency versions * Merge crashlytics into crashlytics-tracing (#9699) * Catch up PR (#9713) * adding xhr instrumentation (#9719) Co-authored-by: Chris Chestnut <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Christina Holland <[email protected]> Co-authored-by: Denver Coneybeare <[email protected]> Co-authored-by: Mark Duckworth <[email protected]> Co-authored-by: abrook <[email protected]> Co-authored-by: Anit Das <[email protected]> Co-authored-by: MaesterChestnut <[email protected]> Co-authored-by: Chris Chestnut <[email protected]> Co-authored-by: Google Admin <[email protected]> Co-authored-by: Ben Knutson <[email protected]> Co-authored-by: Anthony Barone <[email protected]> Co-authored-by: Morgan Chen <[email protected]>

Add a dependabot.yml to better configur eits behavior

23bb361

hsubox76 marked this pull request as ready for review March 4, 2026 16:40

hsubox76 requested a review from a team as a code owner March 4, 2026 16:40

gemini-code-assist bot reviewed Mar 4, 2026

View reviewed changes

.github/dependabot.yml Outdated Show resolved Hide resolved

DellaBitta approved these changes Mar 5, 2026

View reviewed changes

hsubox76 added 2 commits March 5, 2026 12:09

add a newline at the end

af9e005

format exclude-paths

6051683

hsubox76 merged commit 792c616 into main Mar 5, 2026
34 of 35 checks passed

hsubox76 deleted the ch-dependabot branch March 5, 2026 20:37

hsubox76 mentioned this pull request Mar 23, 2026

chore: remove dependabot.yml #9743

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Add a dependabot.yml to better configure its behavior#9620

chore: Add a dependabot.yml to better configure its behavior#9620
hsubox76 merged 3 commits intomainfrom
ch-dependabot

hsubox76 commented Mar 4, 2026

Uh oh!

changeset-bot bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

gemini-code-assist bot commented Mar 4, 2026

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

hsubox76 commented Mar 4, 2026

Uh oh!

changeset-bot bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ No Changeset found

Uh oh!

gemini-code-assist bot commented Mar 4, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

changeset-bot bot commented Mar 4, 2026 •

edited

Loading