require-dependabot-grouping
Require Dependabot grouping via groups or multi-ecosystem-groups.
Targeted pattern scopeâ
This rule reads .github/dependabot.yml (or .github/dependabot.yaml) and checks
for either supported grouping strategy:
groups:inside at least oneupdatesentry.multi-ecosystem-groups:at the top level.
What this rule reportsâ
This rule reports when the Dependabot configuration has neither groups: in
updates entries nor multi-ecosystem-groups: at the top level.
Why this rule existsâ
Without grouping, Dependabot can open a separate pull request for every dependency update.
In repositories with many dependencies, this can produce high PR noise and increase review and CI cost.
groups and multi-ecosystem-groups both reduce update churn by batching related updates.
â Incorrectâ
# .github/dependabot.yml â no supported grouping strategy configured
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
â Correctâ
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
groups:
all-dependencies:
patterns:
- "*"
Or, for multi-ecosystem batching:
version: 2
multi-ecosystem-groups:
infrastructure:
schedule:
interval: weekly
updates:
- package-ecosystem: npm
directory: /
patterns:
- "*"
multi-ecosystem-group: infrastructure
ESLint flat config exampleâ
import repoPlugin from "eslint-plugin-repo";
export default [
repoPlugin.configs.dependabot,
{
plugins: { "repo-compliance": repoPlugin },
rules: {
"repo-compliance/require-dependabot-grouping": "warn",
},
},
];
When not to use itâ
Disable this rule if your repository intentionally requires one pull request per individual update and the extra PR volume is acceptable for your workflow.
Rule catalog ID: R054