Skip to content

Add Dependabot (or Renovate) for Cargo and npm #63

Description

@collinsadi

Cargo.lock and package-lock.json are committed and CI runs cargo audit, cargo deny, and npm audit, but nothing opens update PRs, so dependency bumps are fully manual. We should add .github/dependabot.yml covering the Cargo workspace, the root, frontend, and circuits npm manifests, and GitHub Actions, grouped to reduce PR noise.

Acceptance criteria

  • The Dependabot config covers all ecosystems in the repo.
  • Updates are grouped and scheduled, and CI gates them.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Official CampaignPart of the official campaignciCI/CD pipelines and automationdxDeveloper experiencegood-first-issueGood for newcomerslowLow prioritysecurity-hardeningDefensive hardening (non-blocking)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions