feat(dependabot): validator, tests and example config for issue #73

[kallal79]

Summary by CodeRabbit

• New Features

  • Added automated dependency management configuration to track npm and pip updates in separate schedules.
  • Introduced setup automation scripts for quick project initialization and validation.

• Documentation

  • Updated README with details on automation and testing procedures.

• Chores

  • Added project configuration files and testing infrastructure.
  • Configured initial npm scripts for testing and validation.

[coderabbitai]

Walkthrough

This pull request establishes a Dependabot configuration validation framework. It introduces configuration files, setup scripts for dependency installation and testing, a validation utility that checks Dependabot YAML configurations, and a comprehensive test suite ensuring configurations contain required grouping patterns.

Changes

Cohort / File(s)	Summary
Dependabot Configuration & Setup .github/dependabot.yml, .gitignore	Adds Dependabot configuration defining npm and pip ecosystem monitoring with grouped updates; extends gitignore to explicitly exclude /node_modules.
Validation & Testing Infrastructure scripts/validate-dependabot.js, tests/dependabot.test.js	Introduces validateDependabot() function that validates Dependabot YAML structure (file existence, YAML parsing, required updates array, group/multi-ecosystem presence); includes 7+ test cases covering success and failure scenarios.
Bootstrap & Environment Setup setup.sh, setup.ps1	Adds shell (Bash) and PowerShell setup scripts that verify package.json presence, install npm dependencies, and execute test suite with error propagation.
Project Configuration & Documentation package.json, README.md	Defines project metadata, npm scripts (test, test:watch, check), and devDependencies (vitest, js-yaml); documents Dependabot validator in new "Automation & CI" section with references to scripts and tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Bash Lang, Documentation, Configuration

Suggested reviewers

• Zahnentferner

Poem

🐰 Hoppity-hop, configs align!
Dependabot's groups now so fine,
Validation scripts dance with tests that sing,
Setup scripts bootstrap the whole dang thing! ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main changes: adding a Dependabot validator, tests, and example config to address issue #73.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Line 1: The file contains CRLF line endings causing YAMLlint to fail;
normalize the file to use LF-only newlines (replace CRLF with \n) so the
"version: 2" YAML line ends with a LF; ensure your editor/git config saves
.github/dependabot.yml with Unix-style line endings (or run a utility like
dos2unix) and commit the normalized file.

In `@package.json`:
- Around line 10-13: package.json currently lists "js-yaml" under
devDependencies but it's required at runtime by scripts/validate-dependabot.js;
move "js-yaml" from devDependencies to dependencies by removing the "js-yaml"
entry under devDependencies and adding it under the dependencies object
(preserve the version "^4.1.0"), then run npm install to update lockfile so npm
install --omit=dev won't fail; ensure scripts/validate-dependabot.js still
imports "js-yaml" without changes.

In `@scripts/validate-dependabot.js`:
- Around line 58-61: Add a CLI entrypoint so running `node
scripts/validate-dependabot.js` actually invokes the validator: detect direct
invocation (e.g. if require.main === module), call the exported
validateDependabot() function, print or console.log the validation results, and
ensure the process exits non-zero on failure (process.exit(1)) and zero on
success (process.exit(0)); update the module.exports block to keep exporting
validateDependabot while adding this execution guard and proper error handling
for thrown/rejected errors.
- Around line 42-47: The loop over doc.updates can crash if an element is null
or not an object; before accessing upd.groups or upd['multi-ecosystem'] in the
for (const upd of doc.updates) loop, guard each element with a type check (e.g.,
if (typeof upd !== 'object' || upd === null) continue) and only then perform the
existing checks that set foundGroup; update the checks around upd.groups and
upd['multi-ecosystem'] (and any other property reads on upd) to rely on that
guard so the validator skips invalid entries safely.

In `@setup.ps1`:
- Line 2: Replace all uses of Write-Host with Write-Output in this script:
change the three occurrences of Write-Host (the one at the top "Running setup
(PowerShell)" and the other two occurrences referenced in the comment) to
Write-Output so output is pipeline-friendly and can be redirected/captured;
ensure the messages and spacing remain identical and run a quick test to confirm
behavior is unchanged when redirected.

In `@tests/dependabot.test.js`:
- Around line 7-16: The tests currently mutate the repo’s real
.github/dependabot.yml via writeConfig and removeConfig; change them to create
and operate on an isolated temporary directory (e.g., using fs.mkdtemp or a temp
helper) and construct the test config path (tempDir + '/.github/dependabot.yml')
instead of process.cwd(); update calls to validateDependabot() to pass that
testPath (validateDependabot(testPath)) so the functions writeConfig and
removeConfig accept and use a filePath parameter or are replaced by helpers that
take the tempDir, ensuring no real repository files are overwritten.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 10f32ad and ee3bc7c.

📒 Files selected for processing (8)

• .github/dependabot.yml
• .gitignore
• README.md
• package.json
• scripts/validate-dependabot.js
• setup.ps1
• setup.sh
• tests/dependabot.test.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Normalize file line endings to LF to satisfy YAMLlint.

Line 1 indicates CRLF newlines; YAMLlint expects \n and will fail until this file is normalized.

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 1-1: wrong new line character: expected \n

(new-lines)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml at line 1, The file contains CRLF line endings
causing YAMLlint to fail; normalize the file to use LF-only newlines (replace
CRLF with \n) so the "version: 2" YAML line ends with a LF; ensure your
editor/git config saves .github/dependabot.yml with Unix-style line endings (or
run a utility like dos2unix) and commit the normalized file.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm js-yaml is imported by runtime validator code:"
rg -n --type=js "require\\(['\"]js-yaml['\"]\\)|from ['\"]js-yaml['\"]" scripts

echo
echo "2) Confirm js-yaml is currently declared only in devDependencies:"
rg -n "\"dependencies\"|\"devDependencies\"|\"js-yaml\"" package.json -C2

Repository: AOSSIE-Org/Template-Repo

Length of output: 415

---

Move js-yaml to runtime dependencies.

js-yaml is required by scripts/validate-dependabot.js at runtime. Installing with npm install --omit=dev will fail with MODULE_NOT_FOUND.

Proposed fix

 {
   "name": "template-repo",
   "version": "0.1.0",
   "private": true,
   "scripts": {
     "test": "vitest run",
     "test:watch": "vitest",
     "check": "echo \"No checks configured yet\""
   },
-  "devDependencies": {
-    "vitest": "^1.0.0",
-    "js-yaml": "^4.1.0"
-  }
+  "dependencies": {
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "vitest": "^1.0.0"
+  }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"devDependencies": {
	"vitest": "^1.0.0",
	"js-yaml": "^4.1.0"
	}
	{
	"name": "template-repo",
	"version": "0.1.0",
	"private": true,
	"scripts": {
	"test": "vitest run",
	"test:watch": "vitest",
	"check": "echo \"No checks configured yet\""
	},
	"dependencies": {
	"js-yaml": "^4.1.0"
	},
	"devDependencies": {
	"vitest": "^1.0.0"
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 10 - 13, package.json currently lists "js-yaml"
under devDependencies but it's required at runtime by
scripts/validate-dependabot.js; move "js-yaml" from devDependencies to
dependencies by removing the "js-yaml" entry under devDependencies and adding it
under the dependencies object (preserve the version "^4.1.0"), then run npm
install to update lockfile so npm install --omit=dev won't fail; ensure
scripts/validate-dependabot.js still imports "js-yaml" without changes.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, examine the specific lines mentioned in the review
echo "=== File content around lines 42-47 ==="
sed -n '35,55p' scripts/validate-dependabot.js

echo ""
echo "=== Full file content ==="
wc -l scripts/validate-dependabot.js

echo ""
echo "=== Complete file ==="
cat -n scripts/validate-dependabot.js

Repository: AOSSIE-Org/Template-Repo

Length of output: 2983

---

Guard updates items against null/non-object values before property access.

Line 31 validates doc.updates is an array but does not check element types. If an update entry is null, undefined, or non-object, accessing upd.groups or upd['multi-ecosystem'] on lines 43 and 46 will throw a TypeError and crash the validation.

Proposed fix

  for (const upd of doc.updates) {
+   if (!upd || typeof upd !== 'object') {
+     continue;
+   }
    if (upd.groups && Object.keys(upd.groups).length > 0) {
      foundGroup = true;
    }
    if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
      foundGroup = true;
    }
  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for (const upd of doc.updates) {
	if (upd.groups && Object.keys(upd.groups).length > 0) {
	foundGroup = true;
	}
	if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
	foundGroup = true;
	for (const upd of doc.updates) {
	if (!upd || typeof upd !== 'object') {
	continue;
	}
	if (upd.groups && Object.keys(upd.groups).length > 0) {
	foundGroup = true;
	}
	if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
	foundGroup = true;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 42 - 47, The loop over
doc.updates can crash if an element is null or not an object; before accessing
upd.groups or upd['multi-ecosystem'] in the for (const upd of doc.updates) loop,
guard each element with a type check (e.g., if (typeof upd !== 'object' || upd
=== null) continue) and only then perform the existing checks that set
foundGroup; update the checks around upd.groups and upd['multi-ecosystem'] (and
any other property reads on upd) to rely on that guard so the validator skips
invalid entries safely.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get current working directory and list files
echo "=== Repository structure ==="
git ls-files | head -20

echo -e "\n=== Content of scripts/validate-dependabot.js ==="
cat -n scripts/validate-dependabot.js

echo -e "\n=== Check README for documented CLI usage ==="
if [ -f "README.md" ]; then
  rg -n "node scripts/validate-dependabot.js" README.md || echo "Pattern not found in README"
else
  echo "README.md not found"
fi

Repository: AOSSIE-Org/Template-Repo

Length of output: 3085

---

🏁 Script executed:

#!/bin/bash
# Let's see the context around line 129 in README to understand the documented usage
sed -n '120,140p' README.md

Repository: AOSSIE-Org/Template-Repo

Length of output: 757

---

Add a CLI entrypoint for the documented node scripts/validate-dependabot.js usage.

The README documents running the validator with node scripts/validate-dependabot.js, but the script currently only exports the validateDependabot function without a CLI entry point. Direct execution produces no output and doesn't report validation results or exit with a non-zero status code on failures.

Proposed fix

 module.exports = {
   validateDependabot,
 };
+
+if (require.main === module) {
+  const result = validateDependabot(process.argv[2]);
+  if (!result.ok) {
+    for (const issue of result.issues) {
+      console.error(issue);
+    }
+    process.exit(1);
+  }
+  console.log('dependabot config is valid');
+}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Export for tests
	module.exports = {
	validateDependabot,
	};
	// Export for tests
	module.exports = {
	validateDependabot,
	};
	if (require.main === module) {
	const result = validateDependabot(process.argv[2]);
	if (!result.ok) {
	for (const issue of result.issues) {
	console.error(issue);
	}
	process.exit(1);
	}
	console.log('dependabot config is valid');
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 58 - 61, Add a CLI entrypoint so
running `node scripts/validate-dependabot.js` actually invokes the validator:
detect direct invocation (e.g. if require.main === module), call the exported
validateDependabot() function, print or console.log the validation results, and
ensure the process exits non-zero on failure (process.exit(1)) and zero on
success (process.exit(0)); update the module.exports block to keep exporting
validateDependabot while adding this execution guard and proper error handling
for thrown/rejected errors.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

find . -name "setup.ps1" -type f

Repository: AOSSIE-Org/Template-Repo

Length of output: 79

---

🏁 Script executed:

cat -n setup.ps1

Repository: AOSSIE-Org/Template-Repo

Length of output: 512

---

Replace Write-Host with Write-Output for output portability.

Lines 2, 7, and 10 use Write-Host, which outputs directly to the host console and cannot be redirected or captured. Use Write-Output instead to support pipeline operations and script composition.

Proposed fix

-Write-Host "Running setup (PowerShell)"
+Write-Output "Running setup (PowerShell)"
@@
-Write-Host "Installing npm dependencies..."
+Write-Output "Installing npm dependencies..."
@@
-Write-Host "Running tests..."
+Write-Output "Running tests..."

🧰 Tools

🪛 PSScriptAnalyzer (1.24.0)

[warning] 2-2: File 'setup.ps1' uses Write-Host. Avoid using Write-Host because it might not work in all hosts, does not work when there is no host, and (prior to PS 5.0) cannot be suppressed, captured, or redirected. Instead, use Write-Output, Write-Verbose, or Write-Information.

(PSAvoidUsingWriteHost)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@setup.ps1` at line 2, Replace all uses of Write-Host with Write-Output in
this script: change the three occurrences of Write-Host (the one at the top
"Running setup (PowerShell)" and the other two occurrences referenced in the
comment) to Write-Output so output is pipeline-friendly and can be
redirected/captured; ensure the messages and spacing remain identical and run a
quick test to confirm behavior is unchanged when redirected.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Do not mutate the real .github/dependabot.yml in tests.

These tests currently overwrite and delete repository config files; use an isolated temporary file path and pass it to validateDependabot(testPath).

Proposed fix (isolate test fixture path)

 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import fs from 'fs';
 import path from 'path';
+import os from 'os';
 import { validateDependabot } from '../scripts/validate-dependabot.js';
 
+const TEST_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'dependabot-validator-'));
+const TEST_CONFIG = path.join(TEST_DIR, 'dependabot.yml');
+
 // Helper to write temporary config
 function writeConfig(content) {
-  const file = path.join(process.cwd(), '.github', 'dependabot.yml');
-  fs.mkdirSync(path.dirname(file), { recursive: true });
-  fs.writeFileSync(file, content);
+  fs.mkdirSync(path.dirname(TEST_CONFIG), { recursive: true });
+  fs.writeFileSync(TEST_CONFIG, content);
 }
 
 function removeConfig() {
-  const file = path.join(process.cwd(), '.github', 'dependabot.yml');
-  if (fs.existsSync(file)) fs.unlinkSync(file);
+  if (fs.existsSync(TEST_CONFIG)) fs.unlinkSync(TEST_CONFIG);
 }
@@
-    const result = validateDependabot();
+    const result = validateDependabot(TEST_CONFIG);

Also applies to: 19-21, 23-103

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/dependabot.test.js` around lines 7 - 16, The tests currently mutate the
repo’s real .github/dependabot.yml via writeConfig and removeConfig; change them
to create and operate on an isolated temporary directory (e.g., using fs.mkdtemp
or a temp helper) and construct the test config path (tempDir +
'/.github/dependabot.yml') instead of process.cwd(); update calls to
validateDependabot() to pass that testPath (validateDependabot(testPath)) so the
functions writeConfig and removeConfig accept and use a filePath parameter or
are replaced by helpers that take the tempDir, ensuring no real repository files
are overwritten.

[github-actions]

Hello 👋 This PR has had no activity for more than 2 weeks. If you are still working on it, please push an update or leave a comment. Ping a maintainer if you believe it is ready for review or merge! This PR will be automatically closed in 7 days if there is no further activity.