From d9d1d448ae3a50d23370d4d14db6a4b7a2805002 Mon Sep 17 00:00:00 2001
From: Headgent Development <rolf@headgent.com>
Date: Fri, 12 Jun 2026 08:06:15 +0200
Subject: [PATCH] fix(deps): pin QA tools to exact versions and add dependabot
 config (phpstan 2.1.56, phpcs 3.13.5, phpunit 11.5.55, composer 2.10.1)

---
 .github/dependabot.yml | 15 +++++++++++++++
 composer.json          |  8 ++++----
 2 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..bf4de10
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    reviewers:
+      - "Headgent"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    reviewers:
+      - "Headgent"
diff --git a/composer.json b/composer.json
index 7f5f47e..18da0bb 100644
--- a/composer.json
+++ b/composer.json
@@ -17,10 +17,10 @@
         "composer-plugin-api": "^2"
     },
     "require-dev": {
-        "composer/composer": "^2.7",
-        "phpunit/phpunit": "^11.0",
-        "phpstan/phpstan": "^2.0.4",
-        "squizlabs/php_codesniffer": "^3.11.2"
+        "composer/composer": "2.10.1",
+        "phpunit/phpunit": "11.5.55",
+        "phpstan/phpstan": "2.1.56",
+        "squizlabs/php_codesniffer": "3.13.5"
     },
     "autoload": {
         "psr-4": {