The dependabot.yml config monitors / and /vscode-extension for npm updates, but webapp/backend and webapp/frontend are not covered. Their package-lock.json files will not receive automated vulnerability PRs.
Fix
Add to .github/dependabot.yml:
- package-ecosystem: npm
directory: /webapp/backend
schedule:
interval: weekly
open-pull-requests-limit: 5
groups:
dev-dependencies:
dependency-type: development
production-dependencies:
dependency-type: production
- package-ecosystem: npm
directory: /webapp/frontend
schedule:
interval: weekly
open-pull-requests-limit: 5
groups:
dev-dependencies:
dependency-type: developmentContext
Introduced by PR #90 (webapp). The webapp ships Express, Helmet, and other production dependencies that need vulnerability monitoring.
The
dependabot.ymlconfig monitors/and/vscode-extensionfor npm updates, butwebapp/backendandwebapp/frontendare not covered. Theirpackage-lock.jsonfiles will not receive automated vulnerability PRs.Fix
Add to
.github/dependabot.yml:Context
Introduced by PR #90 (webapp). The webapp ships Express, Helmet, and other production dependencies that need vulnerability monitoring.