Skip to content

Ignore fixed versions for dependabot #16036

Merged
vmoroz merged 2 commits intomicrosoft:mainfrom
vmoroz:PR/main-dependabot-ignore-fixed-versions
Apr 23, 2026
Merged

Ignore fixed versions for dependabot #16036
vmoroz merged 2 commits intomicrosoft:mainfrom
vmoroz:PR/main-dependabot-ignore-fixed-versions

Conversation

@vmoroz
Copy link
Copy Markdown
Member

@vmoroz vmoroz commented Apr 22, 2026
edited by microsoft-github-policy-service Bot
Loading

Description

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Automation (AI changes or Github Actions to reduce effort of manual tasks)

Why

Dependabot's grouped all-dependencies updates on stable branches can sweep in a minor bump of @types/react that is incompatible with the branch's frozen react runtime. On 0.74-stable this surfaced as #15911 — bumping @types/react from 18.2.67 → 18.3.28 broke TS compilation with a forwardRef inference error in KeyboardExt.tsx:

src-win/Libraries/Components/Keyboard/KeyboardExt.tsx(34,5): error TS2345:
  Argument of type '(props: PropsWithoutForwardedRef, ref: React.Ref<any>) => React.JSX.Element'
  is not assignable to parameter of type 'ForwardRefRenderFunction<any, PropsWithoutRef<PropsWithoutForwardedRef>>'.

Because @types/react is declared with a caret range (e.g. ^18.2.6, ^19.1.4) in the package.jsons, Dependabot's lockfile-only strategy still proposes minor bumps within that range — even though the paired react runtime is effectively pinned on each stable branch. The whole React family (react, react-native, react-test-renderer, @types/react) moves together, so any of them drifting to a different minor can break the build.

With the all-dependencies: '*' catch-all group (introduced in #15856) one bad package bump now blocks the entire grouped PR, where previously each update was a standalone PR that could be closed individually. The grouping is still a good idea for signal-to-noise; it just needs explicit ignore rules for packages that are version-locked to the branch's frozen React runtime.

Resolves #15911 (the bad bump will no longer be proposed on the next Dependabot run).

What

Added an ignore: block to each of the five stable-branch update entries in .github/dependabot.yml:

Branch react Locked minor for React family
0.74-stable 18.2.0 18.2.x
0.81-stable 19.1.4 19.1.x
0.82-stable 19.1.1 19.1.x
0.83-stable 19.2.0 19.2.x
0.84-stable 19.2.3 19.2.x

Each ignore block filters version-update:semver-minor and version-update:semver-major updates for:

  • react
  • react-native
  • react-test-renderer
  • @types/react
  • @types/react-dom (defensive — not currently in any stable-branch package.json, but pinned if added later)

Patch updates still flow through, so security patches within the locked minor continue to land.

The main-branch entry is unchanged — it should keep tracking upstream React releases.

Screenshots

N/A

Testing

Dependabot configuration is declarative YAML; changes take effect on the next scheduled Dependabot run. No local tests applicable.

Follow-up after merge:

  • Close #15911 and delete its dependabot/npm_and_yarn/0.74-stable/types/react-18.3.28 branch. Dependabot will not recreate it on the next weekly run because 18.3.x is now filtered out of the group.

Changelog

Should this change be included in the release notes: no

Microsoft Reviewers: Open in CodeFlow

vmoroz and others added 2 commits April 22, 2026 14:46
@vmoroz @claude
Pin @types/react to current minor on stable branches in dependabot
1765153 
Dependabot's lockfile-only strategy respects the existing semver range in
package.json. Because @types/react is declared as a caret range (e.g.
"^18.2.6", "^19.1.4"), dependabot proposes minor-version bumps to the type
definitions even though the paired `react` runtime stays on its current
minor. On 0.74-stable this broke TS compilation — bumping @types/react from
18.2.67 to 18.3.28 failed with a forwardRef inference error in
KeyboardExt.tsx (see PR microsoft#15911).

Add an ignore rule to each stable-branch entry so minor and major updates
of @types/react and @types/react-dom are filtered out of the grouped PR.
Only patch updates flow through, keeping the type definitions aligned with
the frozen React minor on each branch:

  0.74-stable: @types/react locked to 18.2.x
  0.81-stable: @types/react locked to 19.1.x
  0.82-stable: @types/react locked to 19.1.x
  0.83-stable: @types/react locked to 19.2.x
  0.84-stable: @types/react locked to 19.2.x

The main-branch entry is unchanged — it should continue to track upstream
React type releases.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@vmoroz @claude
Extend dependabot ignore to react + react-native + react-test-renderer
848f776 
The react runtime, its type defs, and the matching test renderer are
version-locked together on each stable branch. Bumping any one of them to
a different minor can break TS compilation or runtime compatibility, so
lock the full set on every stable-branch dependabot entry.

Also include react-dom / @types/react-dom defensively — they aren't
currently in any stable-branch package.json but will be pinned if added
later.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@vmoroz vmoroz requested review from a team as code owners April 22, 2026 22:03
@vmoroz vmoroz enabled auto-merge (squash) April 22, 2026 22:45
@vmoroz vmoroz merged commit 0d0ef21 into microsoft:main Apr 23, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acoates-ms acoates-ms acoates-ms approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmoroz @acoates-ms