## Handling Dependabot Dependency Updates

### Review the changelog first
Before merging, check what changed between versions — especially for major bumps. Look for breaking changes, deprecated APIs, or behavior changes.

### Understand semver signals
- **Patch (1.0.x)** — bug/security fixes, generally safe to merge
- **Minor (1.x.0)** — new features, backward-compatible, low risk
- **Major (x.0.0)** — breaking changes likely, requires careful review and testing

The general rule: patch = merge quickly, minor = review and merge, major = treat like a migration task.

### Don't skip tests
Make sure CI runs the full test suite on each Dependabot PR before merging. If tests are absent, do a manual smoke test of critical paths.

For **minor version updates**, run the Cypress test suite locally before merging (`yarn test`). New features in a minor bump can introduce subtle behavior changes that unit tests won't catch.

### Check for dependency compatibility
Bumping one package can cause peer dependency conflicts with others. Review the `yarn.lock` diff — a surprisingly large change warrants a closer look. Also check that the updated package is compatible with other key dependencies (e.g. a Vite plugin bumped to support Vite 6 may break if you're still on Vite 5).

### Don't blindly auto-merge everything
Auto-merge is reasonable for patch-level updates in well-tested projects, but be cautious with minor/major bumps or packages central to the app (e.g. web framework, auth libraries).
