From 45f67396f6f7f85b5a78066dff4e6df5cea0d3b2 Mon Sep 17 00:00:00 2001
From: Akpolo Ogagaoghene Prince <ogazboizakpolo@gmail.com>
Date: Thu, 18 Jun 2026 07:35:05 +0100
Subject: [PATCH] fix(ci): point Dependabot npm at the workspace root only

flowfi is a single npm workspace (frontend + backend hoisted into one root
package-lock.json). dependabot.yml declared separate npm ecosystems for
/frontend and /backend, but those only bump the directory's package.json
without updating the root lockfile that CI runs `npm ci` against. Every PR they
opened therefore died at install with:

  npm error `npm ci` can only install packages when your package.json and
  package-lock.json ... are in sync
  npm error Invalid: lock file's next@16.2.7 does not satisfy next@16.2.9

The root "/" npm entry already covers the whole workspace and updates the root
lockfile (those PRs, e.g. the grouped minor-and-patch one, pass CI). Drop the
two per-directory npm entries so future Dependabot PRs install cleanly.
---
 .github/dependabot.yml | 32 ++++++--------------------------
 1 file changed, 6 insertions(+), 26 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f702a5f9..b2dcf573 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,6 +2,12 @@ version: 2
 
 updates:
   # ── npm: root workspace ────────────────────────────────────────────────────
+  # flowfi is a single npm workspace (frontend + backend hoisted into one root
+  # package-lock.json). Dependabot must update from the workspace root so the
+  # root lockfile CI runs `npm ci` against stays in sync. Per-directory entries
+  # for /frontend and /backend only touched their package.json without updating
+  # the root lockfile, so every PR they opened failed `npm ci` with
+  # "lock file's X does not satisfy Y". One root entry covers all workspaces.
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
@@ -14,32 +20,6 @@ updates:
           - "minor"
           - "patch"
 
-  # ── npm: frontend ──────────────────────────────────────────────────────────
-  - package-ecosystem: "npm"
-    directory: "/frontend"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 10
-    groups:
-      minor-and-patch:
-        update-types:
-          - "minor"
-          - "patch"
-
-  # ── npm: backend ───────────────────────────────────────────────────────────
-  - package-ecosystem: "npm"
-    directory: "/backend"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 10
-    groups:
-      minor-and-patch:
-        update-types:
-          - "minor"
-          - "patch"
-
   # ── Cargo: contracts ───────────────────────────────────────────────────────
   - package-ecosystem: "cargo"
     directory: "/contracts"