Skip to content

Add Dependabot config to backend repo for automated dependency updates #253

Description

@LucasMaupin

Summary

The `intercom-frontend` repo has a `.github/dependabot.yml` configured for daily npm dependency updates. The `intercom-manager` backend repo has no equivalent, meaning dependency vulnerabilities accumulate undetected until a manual `npm audit` is run.

Several backend devDependencies are already on older major versions (e.g. `@typescript-eslint/eslint-plugin@^5`, `eslint@^8`) which may have accumulated CVEs.

Recommendation

Add `.github/dependabot.yml` to `intercom-manager`:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

This mirrors the frontend configuration. Major version bumps can be handled manually to avoid unexpected breaking changes.

Context

Severity

Low — Process improvement; reduces future security debt.


Found by automated security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions