Add Dependabot config to block major version upgrades

mattglory · claude · mattglory · commit 259d4e77a1f1 · 2026-02-11T21:02:52.000Z
Prevents Next.js 14→15/16, React 18→19, and esbuild major/minor
upgrade PRs that require migration work. Allows patch and security
updates through automatically.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,28 @@
+version: 2
+updates:
+  # Root package (contracts/tests)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    ignore:
+      # Only allow patch updates for esbuild (major/minor can break builds)
+      - dependency-name: "esbuild"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+
+  # Frontend (web/)
+  - package-ecosystem: "npm"
+    directory: "/web"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    ignore:
+      # Block major version upgrades for Next.js (14→15 requires migration)
+      - dependency-name: "next"
+        update-types: ["version-update:semver-major"]
+      # Block major React upgrades (tied to Next.js version)
+      - dependency-name: "react"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "react-dom"
+        update-types: ["version-update:semver-major"]
