-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
misc: add dependabot.yml #15341
misc: add dependabot.yml #15341
Conversation
Should we do the same for other random |
No, those are arguably security sensitive (we tell people to use them as examples) so should get updates. |
"security" |
Then should we change the docs ones that use |
Idk, let's not overfit this thing and just continue to use what we thought best for these examples |
@@ -1,7 +1,7 @@ | |||
{ | |||
"private": true, | |||
"type": "module", | |||
"dependencies": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch
See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
There is no way to exclude certain subfolders (like legacy-javascript package.json). See dependabot/dependabot-core#4364 . But we could at least move all those deps into devDeps which should exclude them from updates.