Dependabot and commitlint don't get along by default

A repo with commitlint and conventional commits in CI, plus Dependabot for dependency PRs — sounds like a normal modern setup. Except every Dependabot PR fails the lint check, because Dependabot’s default commit subject is Bump axios from 1.7.0 to 1.8.0 and conventional-commits wants chore(deps): .... Two good defaults that hate each other.

The fix lives in .github/dependabot.yml:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    commit-message:
      prefix: "chore(deps)"
      prefix-development: "chore(deps-dev)"
      include: "scope"

That alone unblocks the PRs. The bonus footgun: while wiring up wagoid/commitlint-github-action@v6, I tried setting firstParent: true to skip merge commits — and it just silently did nothing. The README still references the input, but the v6 release renamed it to commitDepth. Two things going wrong at once made this take longer than it should have.

Lesson for future me: when an action’s input “doesn’t seem to do anything”, don’t assume your YAML is wrong — check the action’s actual source for the current parameter names before blaming yourself.