From 270e69c1a8c90c8666a301ac1c0aaec1e23a4692 Mon Sep 17 00:00:00 2001 From: ddobrin Date: Tue, 16 Jun 2026 10:57:16 -0400 Subject: [PATCH] chore: add dependabot config ignoring Vaadin-managed npm packages The vaadin-maven-plugin regenerates package.json on every build and pins the frontend npm toolchain (vite, @vitejs/*, esbuild, @vaadin/*, react-router, react, react-dom, lit) to versions tested against in pom.xml. Dependabot bumps to those packages are reverted by the build and never take effect, so ignore them here. Upgrade them by bumping instead. Maven updates stay on. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..0cfe096 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,29 @@ +# Dependabot configuration +# +# This is a Vaadin Hilla project: the vaadin-maven-plugin (flow:prepare-frontend) +# regenerates package.json on every build and pins the frontend npm toolchain to +# versions tested against the configured in pom.xml. Dependabot +# bumps to those packages are reverted by the build and never take effect, so we +# ignore the Vaadin-managed surface here. Upgrade them instead by bumping +# in pom.xml. +version: 2 +updates: + - package-ecosystem: npm + directory: "/" + schedule: + interval: weekly + ignore: + # Vaadin-owned frontend toolchain (pinned via the "$..." overrides + hash) + - dependency-name: "vite" + - dependency-name: "@vitejs/*" + - dependency-name: "esbuild" + - dependency-name: "@vaadin/*" + - dependency-name: "react-router" + - dependency-name: "react" + - dependency-name: "react-dom" + - dependency-name: "lit" + + - package-ecosystem: maven + directory: "/" + schedule: + interval: weekly