PR #998 was supposed to filter dependabot PRs to security updates only.
But applies-to was on the wrong level of nesting.
Also renamed the group from "dependency-type" to "security", right now
we get PRs like "Bump the dependency-type group in /installer-gui with 7
updates#1010"
Search for applies-to on this page:
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
-- it's on the same level as patterns.
This PR was fully AI-generated, description hand-written though.
When there is a CVE in some JS package, it seems to coincide with an
avalanche of security releases of random other packages.
Dependabot can actually create bulk PRs, let's try those.
Markus Unterwaditzer