Context
PR #130 adds supply chain hardening including Dependabot for GitHub Actions, but deliberately excludes the npm ecosystem to keep scope small and allow team discussion first.
Proposal
Add an npm ecosystem entry to .github/dependabot.yml:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 14
semver-minor-days: 7
semver-patch-days: 3Considerations
- PR volume: This repo has ~30 direct dependencies. Dependabot will open PRs for each outdated one initially, then settle to a steady trickle. Consider using
open-pull-requests-limit to cap concurrent PRs.
- Grouping: Dependabot supports
groups to batch related updates (e.g., all @radix-ui/* or all @storybook/*) into single PRs, reducing noise.
- Cooldown alignment: The pnpm
minimumReleaseAge (7 days) already blocks too-new packages at install time. Dependabot cooldown is defense-in-depth — it delays the proposal of the update.
- Security updates: Dependabot security updates bypass cooldowns automatically, so critical patches still arrive promptly.
Alternative
If Dependabot feels too noisy, Renovate with config:best-practices preset provides more granular control (auto-merge for patch updates, grouped PRs by default, etc.).
Context
PR #130 adds supply chain hardening including Dependabot for GitHub Actions, but deliberately excludes the npm ecosystem to keep scope small and allow team discussion first.
Proposal
Add an npm ecosystem entry to
.github/dependabot.yml:Considerations
open-pull-requests-limitto cap concurrent PRs.groupsto batch related updates (e.g., all@radix-ui/*or all@storybook/*) into single PRs, reducing noise.minimumReleaseAge(7 days) already blocks too-new packages at install time. Dependabot cooldown is defense-in-depth — it delays the proposal of the update.Alternative
If Dependabot feels too noisy, Renovate with
config:best-practicespreset provides more granular control (auto-merge for patch updates, grouped PRs by default, etc.).