From 4e941462fcb7212166c3f1a49c2145643cb0304c Mon Sep 17 00:00:00 2001
From: Phillipp Glanz <6745190+TheMeinerLP@users.noreply.github.com>
Date: Thu, 14 May 2026 18:05:02 +0200
Subject: [PATCH 1/2] chore(dependabot): disable version updates in favour of
 Renovate

Renovate is now the single source of truth for dependency updates.
Setting open-pull-requests-limit to 0 prevents Dependabot from opening
any new version-update PRs. Security updates remain controlled via the
repository security settings.
---
 .github/dependabot.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..2c22b88
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,14 @@
+# Dependency management is handled by Renovate (see renovate.json).
+# This file intentionally disables Dependabot version updates so the two
+# bots do not produce duplicate PRs for the same dependency.
+#
+# Note: Dependabot *security* updates are configured separately and cannot
+# be disabled via this file. To turn them off, go to:
+#   Settings -> Code security -> Dependabot security updates
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 0

From 122c844ead93ef7e667370dd00f4124d4cc56fff Mon Sep 17 00:00:00 2001
From: Phillipp Glanz <6745190+TheMeinerLP@users.noreply.github.com>
Date: Thu, 14 May 2026 18:05:12 +0200
Subject: [PATCH 2/2] chore(renovate): migrate config to config:recommended

- Replace deprecated config:base with config:recommended
- Add explicit dependencyDashboard preset
- Group patch updates into a single PR to reduce noise
- Require manual dashboard approval for major upgrades
- Enable monthly lockFileMaintenance
- Label vulnerability alerts as security
---
 renovate.json | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/renovate.json b/renovate.json
index 3298442..68242ee 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,11 +1,30 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
-    ":semanticCommitsDisabled"
+    "config:recommended",
+    ":semanticCommitsDisabled",
+    ":dependencyDashboard"
   ],
-  "ignoreDeps": [],
-  "labels": ["Renovate"],
-  "rebaseWhen": "conflicted",
-  "schedule": ["on the first day of the month"]
-}
\ No newline at end of file
+  "labels": ["dependencies", "Renovate"],
+  "rebaseWhen": "behind-base-branch",
+  "schedule": ["before 6am on the first day of the month"],
+  "prConcurrentLimit": 10,
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on the first day of the month"]
+  },
+  "packageRules": [
+    {
+      "groupName": "patch updates",
+      "matchUpdateTypes": ["patch"]
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "addLabels": ["major-update"],
+      "dependencyDashboardApproval": true
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "labels": ["security"]
+  }
+}