Problem Statement
A manual dependency update workflow exists (infrastructure/ci/dependency-updates.yml) but there is no Dependabot configuration. Dependabot provides automated PRs for individual dependency updates with changelog links and compatibility scores.
Evidence
- No
.github/dependabot.yml file
- Manual CI workflow exists for weekly updates
Impact
Dependency updates require manual CI trigger. Security patches for critical vulnerabilities may be delayed.
Proposed Solution
Create .github/dependabot.yml with package ecosystems: npm (Backend, Frontend, Analytics), cargo (Contracts). Configure weekly schedule, reviewer assignment, and labels.
Technical Requirements
- Must cover all package ecosystems
- Must assign appropriate reviewers
- Must label with 'dependencies' and 'automation'
Acceptance Criteria
- Dependabot checks for updates weekly
- PRs are created with changelog and compatibility info
- PRs have correct labels
- No duplicate PRs with manual workflow
File Inventory
.github/dependabot.yml (new)
Dependencies
None.
Testing Strategy
- Verify Dependabot appears in GitHub Insights > Dependency graph
Security Considerations
Automated dependency updates ensure security patches are applied promptly.
Definition of Done
Problem Statement
A manual dependency update workflow exists (
infrastructure/ci/dependency-updates.yml) but there is no Dependabot configuration. Dependabot provides automated PRs for individual dependency updates with changelog links and compatibility scores.Evidence
.github/dependabot.ymlfileImpact
Dependency updates require manual CI trigger. Security patches for critical vulnerabilities may be delayed.
Proposed Solution
Create
.github/dependabot.ymlwith package ecosystems: npm (Backend, Frontend, Analytics), cargo (Contracts). Configure weekly schedule, reviewer assignment, and labels.Technical Requirements
Acceptance Criteria
File Inventory
.github/dependabot.yml(new)Dependencies
None.
Testing Strategy
Security Considerations
Automated dependency updates ensure security patches are applied promptly.
Definition of Done