diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a4344a75..c7bb3397 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,8 @@ version: 2 # a newly published version for 30 days before proposing it (cooldown), to lower # supply-chain risk from fresh or compromised releases. Cooldown does not apply # to security updates, so enabling Dependabot security updates in the repository -# settings still lands those immediately. +# settings still lands those immediately. Dependabot requires `patterns` on every +# update that joins a multi-ecosystem group; `["*"]` includes the whole ecosystem. multi-ecosystem-groups: dev-tooling: schedule: @@ -15,6 +16,7 @@ updates: # npm devDependencies: prek, Prettier, Bats. - package-ecosystem: npm directory: "/" + patterns: ["*"] multi-ecosystem-group: dev-tooling cooldown: default-days: 30 @@ -22,6 +24,7 @@ updates: # GitHub Actions used by the CI workflows. - package-ecosystem: github-actions directory: "/" + patterns: ["*"] multi-ecosystem-group: dev-tooling cooldown: default-days: 30 @@ -30,6 +33,7 @@ updates: # pre-commit-hooks). prek reads the same config format Dependabot updates. - package-ecosystem: pre-commit directory: "/" + patterns: ["*"] multi-ecosystem-group: dev-tooling cooldown: default-days: 30