Skip to content

Add Dependabot configuration #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AugustoLopezProcess wants to merge 1 commit into
base: develop
Choose a base branch
from
+55 −0
Open

Add Dependabot configuration #45

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# PM4 package: Laravel is provided by the host app; composer.json is only for this package's own PHP code/deps.
# JS build: Vue 2 + Laravel Mix (manifest: package.json). Built assets under public/js/ are not scanned by Dependabot.
#
# Policy: NO routine version-update PRs (open-pull-requests-limit: 0).
# Security/CVE PRs are handled by Dependabot security updates (org Settings → Code security).
# Security PRs are batched into one PR per ecosystem (patch/minor).
# Major security PRs will still open if no patch/minor fix exists — treat as manual review.
#
# Vue 2 pin: security fixes requiring Vue 3+ will be suppressed — accepted risk,
# migration not planned. Same applies to vue-loader, vue-template-compiler, @vue/cli.
#
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 0
ignore:
# If you ever raise `open-pull-requests-limit`, this skips routine major bumps.
# Note: update-types has no effect on security updates.
- dependency-name: "*"
update-types: ["version-update:semver-major"]
- dependency-name: "vue"
versions: [">=3.0.0"] # stay on Vue 2.x — suppresses security PRs requiring v3+ too
- dependency-name: "@vue/cli*"
versions: [">=5.0.0"] # CLI v5+ is Vue 3 era
- dependency-name: "vue-loader"
versions: [">=17.0.0"] # vue-loader v17+ drops Vue 2 support
- dependency-name: "vue-template-compiler"
versions: [">=3.0.0"] # must stay in sync with Vue 2.x
groups:
npm-security:
applies-to: security-updates # batches all JS security PRs into one
patterns: # note: update-types has no effect here for security
- "*"

- package-ecosystem: composer
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 0
ignore:
# If you ever raise `open-pull-requests-limit`, this skips routine major bumps.
# Note: update-types has no effect on security updates.
- dependency-name: "*"
update-types: ["version-update:semver-major"]
groups:
composer-security:
applies-to: security-updates # batches all PHP security PRs into one
patterns:
- "*"
Loading