ci(dependabot): switch to security-only mode

.github/dependabot.yml

@@ -1,18 +1,32 @@
 # Dependabot configuration for microsoft/TypeChat.
 #
-# Per ecosystem: routine minor/patch updates are grouped into a single
-# weekly PR; security updates ship as their own grouped PR; major-version
-# bumps fall through ungrouped (one PR per package) for breaking-change
-# review.
+# Security-only mode: we want Dependabot alerts (security updates) to flow,
+# but NOT routine weekly version-update PRs. Setting
+# open-pull-requests-limit: 0 on each ecosystem block disables version
+# updates while keeping the ecosystem registered so security-update PRs
+# can still be opened automatically when an alert fires. (Security
+# updates have a separate, fixed limit of 10 that is unaffected by
+# open-pull-requests-limit.)
+#
+# Routine non-security upgrades are handled out-of-band (manually or by
+# a separate workflow); this file's role is to keep the security pipe
+# unblocked without flooding the repo with churn.
+#
+# Note: devcontainers is intentionally absent -- Dependabot does not
+# support security updates for that ecosystem (only version updates),
+# so a security-only config has nothing to declare for it.
+#
+# Repo-level prerequisites (Settings > Code security):
+#   - Dependency graph: enabled
+#   - Dependabot alerts: enabled
+#   - Dependabot security updates: enabled
+#   - Grouped security updates: enabled
 #
 # Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 
 version: 2
 updates:
   # npm — typescript library + examples + docs site.
-  # All security alerts in this repo to date have been against
-  # typescript/package-lock.json, which previously had no ecosystem entry
-  # here, so Dependabot never opened any update PRs for them.
   - package-ecosystem: "npm"
     directories:
       - "/typescript"
@@ -21,18 +35,16 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    open-pull-requests-limit: 0
     labels:
       - "dependencies"
-    # Group routine minor/patch bumps; security updates grouped separately
-    # so they can be prioritised. Major-version bumps fall through as
-    # one-PR-per-package so they can be reviewed for breaking changes.
+    # Group SemVer minor/patch security alerts so multiple simultaneous
+    # advisories in this ecosystem bundle into a single PR. SemVer-major
+    # security bumps fall through to Dependabot's normal ungrouped
+    # behavior so they can be reviewed individually for breaking changes
+    # (independent of advisory severity — this is purely a SemVer-level
+    # filter).
     groups:
-      npm-production:
-        dependency-type: "production"
-        update-types: ["minor", "patch"]
-      npm-development:
-        dependency-type: "development"
-        update-types: ["minor", "patch"]
       npm-security:
         applies-to: security-updates
         patterns: ["*"]
@@ -43,34 +55,21 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    open-pull-requests-limit: 0
     labels:
       - "dependencies"
     groups:
-      pip-all:
-        patterns: ["*"]
-        update-types: ["minor", "patch"]
       pip-security:
         applies-to: security-updates
         patterns: ["*"]
         update-types: ["minor", "patch"]
 
-  - package-ecosystem: "devcontainers"
-    directory: "/"
-    schedule:
-      interval: weekly
-    groups:
-      devcontainers:
-        patterns: ["*"]
-        update-types: ["minor", "patch"]
-
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     groups:
-      github-actions:
-        patterns: ["*"]
-        update-types: ["minor", "patch"]
       github-actions-security:
         applies-to: security-updates
         patterns: ["*"]