version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" # npm ecosystem covers pnpm, including workspace catalogs (GA Feb 2025). - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" # pnpm enforces minimumReleaseAge (1440min / 1 day) at install time, so a # PR for a too-fresh version would fail `pnpm install` in CI. Hold updates # back past that gate (with margin) so Dependabot never proposes a version # pnpm will refuse. See pnpm-workspace.yaml. cooldown: default-days: 3 semver-major-days: 7 # Group only minor/patch bumps. Majors carry breaking changes and # peer-dep incompatibilities (e.g. @vitejs/plugin-react@6 importing # vite/internal, which rolldown-vite doesn't export), so they break out # into individual PRs for separate review instead of poisoning the batch. groups: dev-dependencies: dependency-type: "development" update-types: ["minor", "patch"] production-dependencies: dependency-type: "production" update-types: ["minor", "patch"] open-pull-requests-limit: 10