Dependabot: no npm pull requests

2026-02-05 13:28:43 -06:00 · 2025-01-30 14:55:39 +01:00
parent b80bff33fd
commit b5d9fbb8eb
1 changed files with 10 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -19,3 +19,13 @@ updates:
    - dependency-name: "django-tailwind"
      versions:
      - ">3.6"
+
+# Turn off all pull requests for npm dependencies; we only use npm as a development-side
+# dependency (for tailwind, the results of which we simply commit into the repo).
+# This looks like a work-around ("limit: 0") but it's in fact the official way:
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-disabling-version-updates-for-some-dependencies
+- package-ecosystem: "npm"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 0