diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..ef142bf9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,32 @@ +version: 2 + +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: monthly + time: "04:00" + timezone: Etc/UTC + open-pull-requests-limit: 2 + groups: + # Keep routine version churn to one reviewable lockfile diff. Minor and + # major upgrades stay manual so runtime migrations keep their own tests. + routine-patches: + applies-to: version-updates + patterns: + - "*" + exclude-patterns: + - "better-sqlite3" + update-types: + - patch + ignore: + # Security alerts remain available even when version-update PRs are + # intentionally suppressed. Review minor and major upgrades manually. + - dependency-name: "*" + update-types: + - version-update:semver-minor + - version-update:semver-major + + # better-sqlite3 is pinned exactly because the workspace alternates one + # installed binary between the Node and Electron ABIs. + - dependency-name: better-sqlite3 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 95e5e80e..52e52810 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -120,6 +120,14 @@ node packages/app/scripts/smoke-packaged.mjs packages/app/dist/mac-arm64/Spool.a node packages/app/scripts/package-size-report.mjs packages/app/dist/mac-arm64/Spool.app ``` +## Dependency maintenance + +Dependabot deliberately opens one grouped patch update each month. Minor and major upgrades are manual so framework and runtime migrations do not share a lockfile diff with routine maintenance. One dependency is also manual at every version: + +- `better-sqlite3`, which must be validated against both the Node and Electron ABIs + +Review grouped ACP patches as a coordinated lockfile change: the Codex extension publishes exact-version platform binaries, while the ACP SDK and Claude extension have independent version lines. For Electron or native-module changes, run the full verification matrix above plus the packaged smoke, code-signing check, and package-size report. Dependabot security alerts remain enabled separately from version updates. + ## What to work on - Check [Issues](https://github.com/spool-lab/spool/issues) for bugs and feature requests