From 4ca2b2626ab1c153b0ca4dbf147d895f1629bbd4 Mon Sep 17 00:00:00 2001
From: Adam Jones <adamj+git@anthropic.com>
Date: Wed, 26 Nov 2025 12:45:43 +0000
Subject: [PATCH] fix: add dependabot.yml to fix npm workspaces issues

Adds dependabot configuration to address npm workspace lockfile issues
that caused PR #3021 to fail.

The root cause was Dependabot trying to update the same package (glob)
to different major versions across workspace directories, creating an
inconsistent package-lock.json that fails `npm ci`.

Key changes:
- Configure npm updates from root directory only (per issue #6346)
- Use versioning-strategy: increase for consistent lockfile updates
- Explicitly configure security update grouping via applies-to

See:
- https://github.com/dependabot/dependabot-core/issues/6346
- https://github.com/dependabot/dependabot-core/issues/7157
---
 .github/dependabot.yml | 56 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..93ab2461f7
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,56 @@
+version: 2
+updates:
+  # npm workspaces monorepo - manage from root only
+  # See: https://github.com/dependabot/dependabot-core/issues/6346
+  # Dependabot has issues updating package-lock.json when configured
+  # for individual workspace directories. Using root directory ensures
+  # consistent lockfile updates across all workspaces.
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    # Use 'increase' strategy to ensure both package.json and package-lock.json
+    # are updated consistently
+    versioning-strategy: increase
+    groups:
+      # Group version updates (minor/patch only for safety)
+      npm-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Explicitly configure security updates grouping
+      # This ensures security updates are handled from the root directory
+      # to avoid npm workspace hoisting issues when different workspaces
+      # need different major versions of the same package
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # Python packages
+  - package-ecosystem: "pip"
+    directory: "/src/fetch"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/src/git"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/src/time"
+    schedule:
+      interval: "weekly"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"