fix: Reduce Dependabot noise - monthly updates, grouped PRs, ignore date-fns

Lingz450 · Lingz450 · commit f754aeeb375c · 2025-11-10T08:54:08.000+01:00
- Changed update frequency from weekly to monthly (75% fewer emails)
- Reduced max open PRs from 10 to 3 for npm/pip, 5 to 2 for Actions
- Group all minor/patch updates into single PRs instead of separate ones
- Ignore date-fns major/minor updates (was causing spam)
- Ignore React/Next.js major version updates for stability
- Added comprehensive DEPENDABOT_GUIDE.md with instructions

This should reduce Dependabot emails from 10-20/week to 1-3/month (~95% reduction)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,10 +4,10 @@ updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"  # Changed from weekly to monthly
       day: "monday"
       time: "09:00"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 3  # Reduced from 10 to 3
     reviewers:
       - "Lingz450"
     assignees:
@@ -26,38 +26,26 @@ updates:
         update-types: ["version-update:semver-major"]
       - dependency-name: "next"
         update-types: ["version-update:semver-major"]
+      # Ignore date-fns updates temporarily (causing spam)
+      - dependency-name: "date-fns"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
     groups:
-      # Group React ecosystem updates
-      react:
+      # Group ALL dependencies together to reduce PR count
+      all-dependencies:
         patterns:
-          - "react*"
-          - "@types/react*"
-      # Group Next.js ecosystem updates
-      nextjs:
-        patterns:
-          - "next*"
-          - "@next/*"
-      # Group testing dependencies
-      testing:
-        patterns:
-          - "jest*"
-          - "@testing-library/*"
-          - "cypress*"
-      # Group linting/formatting tools
-      dev-tools:
-        patterns:
-          - "eslint*"
-          - "prettier*"
-          - "typescript*"
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
   # Backend (pip) dependencies
   - package-ecosystem: "pip"
     directory: "/backend"
     schedule:
-      interval: "weekly"
+      interval: "monthly"  # Changed from weekly to monthly
       day: "monday"
       time: "09:00"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 3  # Reduced from 10 to 3
     reviewers:
       - "Lingz450"
     assignees:
@@ -70,32 +58,22 @@ updates:
       - "backend"
       - "python"
     groups:
-      # Group FastAPI ecosystem
-      fastapi:
-        patterns:
-          - "fastapi*"
-          - "uvicorn*"
-          - "pydantic*"
-      # Group Excel processing libraries
-      excel:
-        patterns:
-          - "openpyxl*"
-          - "pandas*"
-          - "xlsxwriter*"
-      # Group testing dependencies
-      testing:
+      # Group ALL Python dependencies together to reduce PR count
+      all-python-dependencies:
         patterns:
-          - "pytest*"
-          - "coverage*"
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
   # GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"  # Changed from weekly to monthly
       day: "monday"
       time: "09:00"
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 2  # Reduced from 5 to 2
     reviewers:
       - "Lingz450"
     commit-message:
diff --git a/DEPENDABOT_GUIDE.md b/DEPENDABOT_GUIDE.md
@@ -0,0 +1,222 @@
+# 🛑 Stop Dependabot Email Spam - Quick Guide
+
+## What Just Happened?
+
+I've updated your Dependabot configuration to **significantly reduce** the number of PRs and emails you receive.
+
+---
+
+## ✅ Changes Made to `.github/dependabot.yml`
+
+### Before → After
+
+| Setting | Before | After | Impact |
+|---------|--------|-------|--------|
+| **Update Frequency** | Weekly | **Monthly** | 75% fewer emails |
+| **Max PRs (npm)** | 10 | **3** | 70% fewer PRs |
+| **Max PRs (pip)** | 10 | **3** | 70% fewer PRs |
+| **Max PRs (Actions)** | 5 | **2** | 60% fewer PRs |
+| **Grouping** | Separate PRs | **All grouped** | Single PR instead of many |
+
+### Specific Ignores Added
+
+- ✅ **date-fns** - Ignoring major and minor updates (the one spamming you!)
+- ✅ **React** - Ignoring major version updates
+- ✅ **Next.js** - Ignoring major version updates
+
+---
+
+## 🔧 How to Handle Current Dependabot PRs
+
+### Option 1: Close the Current date-fns PR (Recommended)
+
+Go to the PR on GitHub and comment:
+
+```
+@dependabot ignore this dependency
+```
+
+This will close the PR and stop Dependabot from creating more PRs for `date-fns`.
+
+### Option 2: Merge It (If You Want the Update)
+
+```
+@dependabot merge
+```
+
+### Option 3: Close It Manually
+
+Just close the PR on GitHub - Dependabot won't recreate it due to the new ignore rules.
+
+---
+
+## 📧 How to Stop Email Notifications
+
+### Method 1: Unsubscribe from Specific PRs
+
+1. Open any Dependabot email
+2. Scroll to the top-right
+3. Click **"Unsubscribe"** button
+
+### Method 2: GitHub Notification Settings
+
+1. Go to: https://github.com/settings/notifications
+2. Scroll to **"Participating, @mentions and custom"**
+3. Uncheck **"Pull requests"** OR
+4. Go to **"Watching"** and adjust ExcelAI repository settings
+
+### Method 3: Repository-Specific Settings
+
+1. Go to: https://github.com/Lingz450/ExcelAI
+2. Click **"Watch"** dropdown (top right)
+3. Select **"Custom"**
+4. **Uncheck** "Pull requests"
+5. Click **"Apply"**
+
+### Method 4: Filter Dependabot Emails
+
+**Gmail:**
+1. Search: `from:notifications@github.com dependabot`
+2. Click the three dots → **"Filter messages like these"**
+3. Click **"Create filter"**
+4. Check **"Skip the Inbox (Archive it)"** or **"Delete it"**
+5. Click **"Create filter"**
+
+**Outlook:**
+1. Right-click any Dependabot email
+2. Select **"Rules"** → **"Create Rule"**
+3. Set condition: `From: notifications@github.com` AND `Subject contains: dependabot`
+4. Action: **"Move to folder"** (create "GitHub/Dependabot") or **"Delete"**
+
+---
+
+## 🎯 What Happens Now?
+
+### Monthly Updates Only
+- Dependabot will run **once per month** (first Monday at 9 AM)
+- Maximum **3 PRs** for npm packages
+- Maximum **3 PRs** for Python packages
+- Maximum **2 PRs** for GitHub Actions
+
+### Grouped Updates
+- Instead of 10 separate PRs, you'll get **1-2 grouped PRs**
+- Example: "chore(deps): Update all npm dependencies" (minor/patch)
+
+### Ignored Dependencies
+- **date-fns** - Won't create PRs for major/minor updates
+- **React** - Won't create PRs for major updates
+- **Next.js** - Won't create PRs for major updates
+
+---
+
+## 🚨 Emergency: Disable Dependabot Completely
+
+If you still want to **completely disable** Dependabot:
+
+### Option A: Delete the Config File
+
+```bash
+git rm .github/dependabot.yml
+git commit -m "chore: Disable Dependabot"
+git push
+```
+
+### Option B: Comment Out All Updates
+
+Edit `.github/dependabot.yml` and add `#` before each line:
+
+```yaml
+# version: 2
+# updates:
+#   - package-ecosystem: "npm"
+#     ...
+```
+
+### Option C: GitHub Settings (Nuclear Option)
+
+1. Go to: https://github.com/Lingz450/ExcelAI/settings
+2. Scroll to **"Code security and analysis"**
+3. Find **"Dependabot"**
+4. Disable **"Dependabot version updates"**
+
+---
+
+## 📊 Recommended Setup (What I Did)
+
+I recommend keeping the **new configuration** because:
+
+✅ **Security updates** - You'll still get critical security patches  
+✅ **Monthly cadence** - Not overwhelming, easy to review  
+✅ **Grouped updates** - One PR instead of many  
+✅ **Stable versions** - Won't break your app with major updates  
+
+---
+
+## 🔍 How to Check If It Worked
+
+1. Go to: https://github.com/Lingz450/ExcelAI/network/updates
+2. You should see:
+   - **Frequency**: Monthly
+   - **Max PRs**: 3 (npm), 3 (pip), 2 (actions)
+   - **Ignored**: date-fns, React major, Next.js major
+
+---
+
+## 📝 Summary of Actions
+
+### Immediate Actions (Do These Now):
+
+1. ✅ **Close current date-fns PR** - Comment `@dependabot ignore this dependency`
+2. ✅ **Unsubscribe from PR emails** - Click "Unsubscribe" in any Dependabot email
+3. ✅ **Adjust GitHub watch settings** - Uncheck "Pull requests" for ExcelAI repo
+
+### Already Done For You:
+
+1. ✅ Changed Dependabot frequency to monthly
+2. ✅ Reduced max PRs from 10 to 3
+3. ✅ Grouped all updates into single PRs
+4. ✅ Ignored date-fns updates (the spam source)
+5. ✅ Ignored major version updates for React/Next.js
+
+---
+
+## 🎉 Result
+
+**Before**: 10-20 emails/week  
+**After**: 1-3 emails/month  
+
+**Email reduction: ~95%** 🎊
+
+---
+
+## 💡 Pro Tips
+
+1. **Review Monthly** - Set a calendar reminder for the first Monday of each month
+2. **Auto-merge Patch Updates** - Consider setting up auto-merge for patch versions
+3. **Security Alerts** - Keep these enabled! They're important.
+4. **Group Review** - Review all 3 PRs at once instead of one-by-one
+
+---
+
+## ❓ Still Getting Emails?
+
+If you're still getting emails after these changes:
+
+1. **Wait 24-48 hours** - GitHub needs time to process the config changes
+2. **Check open PRs** - Close any existing Dependabot PRs manually
+3. **Verify config** - Ensure the changes were pushed to GitHub
+4. **Contact me** - Open an issue if it's still not working
+
+---
+
+## 📞 Need Help?
+
+- **GitHub Docs**: https://docs.github.com/en/code-security/dependabot
+- **Notification Settings**: https://github.com/settings/notifications
+- **Repository Settings**: https://github.com/Lingz450/ExcelAI/settings
+
+---
+
+**Last Updated**: November 10, 2025  
+**Status**: ✅ Dependabot configured for minimal noise
+
