From a5f1e1c399f94a2107d820fcaa02e9e13490d837 Mon Sep 17 00:00:00 2001 From: Nara Kasbergen Kwon <855115+xiehan@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:32:06 +0200 Subject: [PATCH] chore: enable Dependabot for security updates only (#183) --- .github/dependabot.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..057fcaf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,20 @@ +# NOTE: This file is not managed by Projen because if you enable Dependabot through Projen, +# it will delete the upgrade-main job and expect you to only use Dependabot for updates. +# That is not what we want either; we just want to use Dependabot for security updates. + +version: 2 +updates: + - package-ecosystem: npm + versioning-strategy: lockfile-only + directory: / + schedule: + interval: daily + ignore: + - dependency-name: projen + labels: + - auto-approve + - automerge + - dependencies + - security + # Disable version updates for npm dependencies, only use Dependabot for security updates + open-pull-requests-limit: 0