version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

  # npm ecosystem covers pnpm, including workspace catalogs (GA Feb 2025).
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # pnpm enforces minimumReleaseAge (1440min / 1 day) at install time, so a
    # PR for a too-fresh version would fail `pnpm install` in CI. Hold updates
    # back past that gate (with margin) so Dependabot never proposes a version
    # pnpm will refuse. See pnpm-workspace.yaml.
    cooldown:
      default-days: 3
      semver-major-days: 7
    # Group only minor/patch bumps. Majors carry breaking changes and
    # peer-dep incompatibilities (e.g. @vitejs/plugin-react@6 importing
    # vite/internal, which rolldown-vite doesn't export), so they break out
    # into individual PRs for separate review instead of poisoning the batch.
    groups:
      dev-dependencies:
        dependency-type: "development"
        update-types: ["minor", "patch"]
      production-dependencies:
        dependency-type: "production"
        update-types: ["minor", "patch"]
    open-pull-requests-limit: 10
