From 7e99d31a882e8c300078704f852a588d4088b25c Mon Sep 17 00:00:00 2001
From: AugustoLopezProcess <augusto.lopez+github@processmaker.com>
Date: Thu, 21 May 2026 10:19:07 -0400
Subject: [PATCH] Add Dependabot configuration

---
 .github/dependabot.yml | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..2988251
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,55 @@
+# PM4 package: Laravel is provided by the host app; composer.json is only for this package's own PHP code/deps.
+# JS build: Vue 2 + Laravel Mix (manifest: package.json). Built assets under public/js/ are not scanned by Dependabot.
+#
+# Policy: NO routine version-update PRs (open-pull-requests-limit: 0).
+# Security/CVE PRs are handled by Dependabot security updates (org Settings → Code security).
+# Security PRs are batched into one PR per ecosystem (patch/minor).
+# Major security PRs will still open if no patch/minor fix exists — treat as manual review.
+#
+# Vue 2 pin: security fixes requiring Vue 3+ will be suppressed — accepted risk,
+# migration not planned. Same applies to vue-loader, vue-template-compiler, @vue/cli.
+#
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 0
+    ignore:
+      # If you ever raise `open-pull-requests-limit`, this skips routine major bumps.
+      # Note: update-types has no effect on security updates.
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "vue"
+        versions: [">=3.0.0"] # stay on Vue 2.x — suppresses security PRs requiring v3+ too
+      - dependency-name: "@vue/cli*"
+        versions: [">=5.0.0"] # CLI v5+ is Vue 3 era
+      - dependency-name: "vue-loader"
+        versions: [">=17.0.0"] # vue-loader v17+ drops Vue 2 support
+      - dependency-name: "vue-template-compiler"
+        versions: [">=3.0.0"] # must stay in sync with Vue 2.x
+    groups:
+      npm-security:
+        applies-to: security-updates # batches all JS security PRs into one
+        patterns: # note: update-types has no effect here for security
+          - "*"
+
+  - package-ecosystem: composer
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 0
+    ignore:
+      # If you ever raise `open-pull-requests-limit`, this skips routine major bumps.
+      # Note: update-types has no effect on security updates.
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    groups:
+      composer-security:
+        applies-to: security-updates # batches all PHP security PRs into one
+        patterns:
+          - "*"