Distinguish prod and dev dependentbot update (#39)

fcollonval · web-flow · commit 01434fe54070 · 2021-08-13T08:51:49.000+02:00
* Distinguish prod and dev dependentbot update

* Including scope make it explicit enough

* Upgrade only lockfile
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+    versioning-strategy: lockfile-only
+    commit-message:
+      prefix: "npm"
+      include: "scope"
+    allow:  # Only consider run time dependencies:
+      - dependency-type: "production"
+    ignore: # Don't update major and minor to keep compatibility with older jupyterlab
+      - dependency-name: '*'
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
