Use grouped dependabot updates

When there is a CVE in some JS package, it seems to coincide with an avalanche of security releases of random other packages. Dependabot can actually create bulk PRs, let's try those.
2026-05-01 18:00:00 -07:00 · 2026-03-16 15:35:24 +01:00
parent 853ad3763c
commit 1bab75830b
1 changed files with 41 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,41 @@
+version: 2
+updates:
+  # Rust dependencies
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependency-type:
+        patterns:
+          - "*"
+
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/tools"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependency-type:
+        patterns:
+          - "*"
+
+  # daemon/web Node.js dependencies
+  - package-ecosystem: "npm"
+    directory: "/daemon/web"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependency-type:
+        patterns:
+          - "*"
+
+  # installer-gui Node.js dependencies
+  - package-ecosystem: "npm"
+    directory: "/installer-gui"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependency-type:
+        patterns:
+          - "*"