diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9b040905..21712b46 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,20 +9,16 @@ updates: day: monday time: "09:00" timezone: Etc/UTC - cooldown: - default-days: 3 - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 commit-message: prefix: chore prefix-development: chore include: scope groups: - npm-minor-and-patch: + npm-security: + applies-to: security-updates patterns: - "*" - update-types: - - minor - - patch - package-ecosystem: github-actions directory: / @@ -31,9 +27,12 @@ updates: day: tuesday time: "09:00" timezone: Etc/UTC - cooldown: - default-days: 3 - open-pull-requests-limit: 3 + open-pull-requests-limit: 0 commit-message: prefix: chore include: scope + groups: + github-actions-security: + applies-to: security-updates + patterns: + - "*" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..9cbf4b8f --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,28 @@ +name: Dependency Review + +on: + pull_request: + paths: + - "**/package.json" + - "**/package-lock.json" + - "**/pnpm-lock.yaml" + - "pnpm-workspace.yaml" + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Dependency Review + uses: actions/dependency-review-action@v5 + with: + fail-on-severity: high + fail-on-scopes: runtime, development, unknown + license-check: false + show-patched-versions: true