Problem
The estate feedback_always_automerge_prs hook + the standard branch-protection setup let dependabot major-version bumps merge as long as the validation/governance gates pass (K9, A2ML, language-policy, trusted-base). These content-checks do not compile the workspace. If a major bump ships an API break that no call-site has been updated for, it merges green into main and breaks every downstream check that does compile (Rust CI, Live Provers, MVP Smoke, …) on every subsequent push until somebody notices and reverts.
Real-world incident (echidna, 2026-05-29)
Five dependabot major bumps merged in a chain over ~2h:
| PR |
Bump |
Real break |
| #120 |
axum 0.7 → 0.8 |
tower-http 0.6 transitive mismatch (follow_redirect/policy/mod.rs) |
| #121 |
rand 0.9 → 0.10 |
Rng trait renamed to RngExt; use rand::Rng no longer brings random_range/random into scope |
| #122 |
criterion 0.5 → 0.8 |
bench harness changes |
| #123 |
nom 7 → 8 |
combinators went closure-based → trait-based: alt(args)(input) → alt(args).parse(input) |
| #124 |
rustyline 15 → 18 |
editor API changes |
Every subsequent push was red on Rust CI (compile errors) + Live Provers (all T1+T2 fail to compile) + MVP Smoke (best-effort compile). Echidna PR #128 reverts all five.
Options (in order of strength)
-
Dependabot config: draft major bumps. Per-repo .github/dependabot.yml:
open-pull-requests-limit: 10
groups:
minor-and-patch:
patterns: ["*"]
update-types: ["minor", "patch"]
# Majors get their own PRs and stay draft (default behavior is to open as ready)Doesn't directly draft majors but reduces noise; majors still open as ready, which is the failure mode.
-
Dependabot config + a require-review label on majors: open majors with update-types: ["version-update:semver-major"] matchers and a label that branch protection requires for merge. Effectively forces manual review of majors.
-
Branch-protection: require Rust CI / Live Provers for merge, not just validation gates. The cleanest fix — the compile signal would have caught all 5 echidna bumps at PR time. May be inappropriate for non-Rust repos in the estate; would need per-repo tailoring.
-
Estate-wide .github/dependabot.yml template in standards that disables major-version bumps entirely (ignore: [...] update-types: ["version-update:semver-major"]). Majors then require manual issue → manual PR with paired code update. Most conservative.
Scope
Policy decision. Best handled in standards/docs/ with a propagation campaign to the estate's dependabot.yml files. No code change in standards itself.
Severity
High — every estate repo with auto-merge + dependabot is vulnerable to this class of break. Echidna's case took down all of CI for ~24h until triage; replication elsewhere is just a matter of time.
Problem
The estate
feedback_always_automerge_prshook + the standard branch-protection setup let dependabot major-version bumps merge as long as the validation/governance gates pass (K9, A2ML, language-policy, trusted-base). These content-checks do not compile the workspace. If a major bump ships an API break that no call-site has been updated for, it merges green intomainand breaks every downstream check that does compile (Rust CI, Live Provers, MVP Smoke, …) on every subsequent push until somebody notices and reverts.Real-world incident (echidna, 2026-05-29)
Five dependabot major bumps merged in a chain over ~2h:
follow_redirect/policy/mod.rs)Rngtrait renamed toRngExt;use rand::Rngno longer bringsrandom_range/randominto scopealt(args)(input)→alt(args).parse(input)Every subsequent push was red on
Rust CI(compile errors) +Live Provers(all T1+T2 fail to compile) +MVP Smoke(best-effort compile). Echidna PR #128 reverts all five.Options (in order of strength)
Dependabot config: draft major bumps. Per-repo
.github/dependabot.yml:Doesn't directly draft majors but reduces noise; majors still open as ready, which is the failure mode.
Dependabot config + a
require-reviewlabel on majors: open majors withupdate-types: ["version-update:semver-major"]matchers and a label that branch protection requires for merge. Effectively forces manual review of majors.Branch-protection: require
Rust CI/Live Proversfor merge, not just validation gates. The cleanest fix — the compile signal would have caught all 5 echidna bumps at PR time. May be inappropriate for non-Rust repos in the estate; would need per-repo tailoring.Estate-wide
.github/dependabot.ymltemplate instandardsthat disables major-version bumps entirely (ignore: [...] update-types: ["version-update:semver-major"]). Majors then require manual issue → manual PR with paired code update. Most conservative.Scope
Policy decision. Best handled in
standards/docs/with a propagation campaign to the estate'sdependabot.ymlfiles. No code change in standards itself.Severity
High — every estate repo with auto-merge + dependabot is vulnerable to this class of break. Echidna's case took down all of CI for ~24h until triage; replication elsewhere is just a matter of time.