Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
version: 2

updates:
- package-ecosystem: npm
directory: /
schedule:
interval: monthly
time: "04:00"
timezone: Etc/UTC
open-pull-requests-limit: 2
groups:
# Keep routine version churn to one reviewable lockfile diff. Minor and
# major upgrades stay manual so runtime migrations keep their own tests.
routine-patches:
applies-to: version-updates
patterns:
- "*"
exclude-patterns:
- "better-sqlite3"
update-types:
- patch
ignore:
# Security alerts remain available even when version-update PRs are
# intentionally suppressed. Review minor and major upgrades manually.
- dependency-name: "*"
update-types:
- version-update:semver-minor
- version-update:semver-major

# better-sqlite3 is pinned exactly because the workspace alternates one
# installed binary between the Node and Electron ABIs.
- dependency-name: better-sqlite3
8 changes: 8 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,14 @@ node packages/app/scripts/smoke-packaged.mjs packages/app/dist/mac-arm64/Spool.a
node packages/app/scripts/package-size-report.mjs packages/app/dist/mac-arm64/Spool.app
```

## Dependency maintenance

Dependabot deliberately opens one grouped patch update each month. Minor and major upgrades are manual so framework and runtime migrations do not share a lockfile diff with routine maintenance. One dependency is also manual at every version:

- `better-sqlite3`, which must be validated against both the Node and Electron ABIs

Review grouped ACP patches as a coordinated lockfile change: the Codex extension publishes exact-version platform binaries, while the ACP SDK and Claude extension have independent version lines. For Electron or native-module changes, run the full verification matrix above plus the packaged smoke, code-signing check, and package-size report. Dependabot security alerts remain enabled separately from version updates.

## What to work on

- Check [Issues](https://github.com/spool-lab/spool/issues) for bugs and feature requests
Expand Down