fix: add dependabot.yml to fix npm workspaces issues

Adds dependabot configuration to address npm workspace lockfile issues that caused PR #3021 to fail. The root cause was Dependabot trying to update the same package (glob) to different major versions across workspace directories, creating an inconsistent package-lock.json that fails `npm ci`. Key changes: - Configure npm updates from root directory only (per issue #6346) - Use versioning-strategy: increase for consistent lockfile updates - Explicitly configure security update grouping via applies-to See: - https://github.com/dependabot/dependabot-core/issues/6346 - https://github.com/dependabot/dependabot-core/issues/7157
2026-02-19 11:54:58 -05:00 · 2025-11-26 12:45:43 +00:00
parent 78e0088ebd
commit 4ca2b2626a
1 changed files with 56 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,56 @@
+version: 2
+updates:
+  # npm workspaces monorepo - manage from root only
+  # See: https://github.com/dependabot/dependabot-core/issues/6346
+  # Dependabot has issues updating package-lock.json when configured
+  # for individual workspace directories. Using root directory ensures
+  # consistent lockfile updates across all workspaces.
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    # Use 'increase' strategy to ensure both package.json and package-lock.json
+    # are updated consistently
+    versioning-strategy: increase
+    groups:
+      # Group version updates (minor/patch only for safety)
+      npm-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Explicitly configure security updates grouping
+      # This ensures security updates are handled from the root directory
+      # to avoid npm workspace hoisting issues when different workspaces
+      # need different major versions of the same package
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # Python packages
+  - package-ecosystem: "pip"
+    directory: "/src/fetch"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/src/git"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/src/time"
+    schedule:
+      interval: "weekly"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"