Update dependabot-2.0.json schema to match current Dependabot features#5381
Open
JamieMagee wants to merge 1 commit intoSchemaStore:masterfrom
Open
Update dependabot-2.0.json schema to match current Dependabot features#5381JamieMagee wants to merge 1 commit intoSchemaStore:masterfrom
dependabot-2.0.json schema to match current Dependabot features#5381JamieMagee wants to merge 1 commit intoSchemaStore:masterfrom
Conversation
Sync the dependabot-2.0.json schema with the current state of Dependabot's configuration options, adding missing features and fixing constraints to match the actual implementation. Changes: - Add pre-commit to package-ecosystem enum (beta ecosystem) dependabot/dependabot-core#2183 - Add goproxy-server to registry type enum https://github.blog/changelog/2025-09-09-go-private-registry-support-for-dependabot-now-generally-available dependabot/dependabot-core#12747 - Add OIDC and AWS CodeArtifact registry auth properties (tenant-id, client-id, jfrog-oidc-provider-name, identity-mapping-name, audience, aws-region, account-id, role-name, domain, domain-owner, registry) https://github.blog/changelog/2026-02-03-dependabot-now-supports-oidc-authentication - Add group-by property to groups definition https://github.blog/changelog/2024-03-28-dependabot-grouped-security-updates-generally-available - Add name property to update definition - Add update-types, dependency-type, and exclude-patterns properties to multi-ecosystem-group definition https://github.blog/changelog/2025-07-01-single-pull-request-for-dependabot-multi-ecosystem-support - Fix cooldown constraints to match implementation: minimum 1 (not 0) for default/major/minor days, maximum 90 for all day fields, maxItems 100 (not 150) for include/exclude https://github.blog/changelog/2025-07-01-dependabot-supports-configuration-of-a-minimum-package-age - Fix ignore versions to accept string or array (was array-only) - Replace inline timezone enum with $ref to base.json - Add positive tests for new features
JamieMagee
requested review from
hyperupcall and
madskristensen
as code owners
Contributor
|
Thanks for the PR! This section of the codebase is owned by @madskristensen and |
JamieMagee
changed the title
dependabot-2.0.json schema to match current Dependabot features
3 tasks
sirosen
reviewed
Feb 19, 2026
| "US/Pacific", | ||
| "US/Samoa" | ||
| ] | ||
| "$ref": "https://json.schemastore.org/base.json#/definitions/timezone" |
Contributor
There was a problem hiding this comment.
👋 Hi there, check-jsonschema maintainer here! (not a SchemaStore maintainer)
I want to note that this could be a problem for offline use of the schema (e.g., in pre-commit.ci, where the network is disabled).
For check-jsonschema it would probably be a blocker on supporting this until I work out how to vendor base.json and feed it into the $ref resolution mechanism correctly.1
That's not to say that you can't or even "shouldn't" apply this change. Just to be aware that changing a schema such that it's no longer self-contained has some implications about how that schema is consumed.
Footnotes
-
Which I 100% need to do. It's just not been a priority. ↩
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The schema had fallen behind the actual Dependabot configuration. This brings it up to date with features shipped over the past year or so.
What changed
New ecosystem and registry types:
pre-commitadded topackage-ecosystem(beta, behindenable-beta-ecosystems) — dependabot/dependabot-core#2183goproxy-serveradded to registrytypeenum — Go private registry support GA, dependabot/dependabot-core#12747OIDC and AWS CodeArtifact registry auth properties:
tenant-id,client-id(Azure OIDC)jfrog-oidc-provider-name,identity-mapping-name,audience(JFrog OIDC)aws-region,account-id,role-name,domain,domain-owner(AWS CodeArtifact)registry(cargo-registry name)Groups:
group-byproperty ("dependency-name") — Grouped security updates GAMulti-ecosystem groups:
update-types,dependency-type,exclude-patterns,open-pull-requests-limit— Multi-ecosystem support GAUpdate definition:
nameproperty (string, 3-100 chars)Constraint fixes:
default-days/semver-major-days/semver-minor-daysminimum is 1, not 0. All day fields capped at 90.include/excludemaxItems is 100, not 150. — Cooldown GAversions: now accepts a string or an array (was array-only), matching actual behaviorHousekeeping:
$reftobase.json#/definitions/timezone