# Make PR to `stage` branch
target-branch: "stage"
# Disable version updates for npm dependencies, but allow security updates
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit
open-pull-requests-limit: 0
# Uses `increase` for apps and `widen` for libraries
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy
versioning-strategy: auto
Then in the repo's setting for configuring dependabot alerts, I added a rule with severity: critical and high, scope: runtime (to avoid development upgrades), ecosystem: npm. This in combination with the above file, hopefully means that there will be only security updates for production dependencies.
I had to revert lint-staged (a dev deps) back to 10.5.4 because the newer version needs node 16 or more (this repo uses 14.x). It was preventing me from committing changes locally.
cc @cav1sa
Made the following additions to dependabot.yml
Then in the repo's setting for configuring dependabot alerts, I added a rule with severity: critical and high, scope: runtime (to avoid development upgrades), ecosystem: npm. This in combination with the above file, hopefully means that there will be only security updates for production dependencies.
npm ciinstead ofnpm iin GitHub CI