chore: use dependabot to manage dependencies (#2830)

Use dependabot to manage the dependencies defined in package.json and
GitHub Actions workflows, so that we can proactively update versions.

Outdated versions of third-party dependencies frequently have known
security vulnerabilities with CVEs.
This commit is contained in:
Jonathan Yu 2021-03-12 11:46:18 -08:00 committed by GitHub
parent c270570f77
commit 7b1fe3156d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

25
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,25 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
time: "11:00"
assignees:
- "jawnsy"
reviewers:
- "jawnsy"
ignore:
# GitHub always delivers the latest versions for each major
# release tag, so handle updates manually
- dependency-name: "actions/*"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "11:00"
assignees:
- "jawnsy"
reviewers:
- "jawnsy"