chore(deps): group routine Renovate update PRs

[gabrielmfern]

Summary

• group routine non-major Renovate updates into reviewable buckets instead of one broad dependency PR
• keep security advisories isolated under vulnerabilityAlerts so they can still be reviewed and merged independently
• document each Renovate field used in this config so the grouping strategy is easy to verify against Renovate's docs

Test plan

• Validate renovate.json parses with python -m json.tool renovate.json
• Let Renovate run against this branch and confirm PR grouping behavior matches the configured rules

Renovate docs references

• $schema: https://docs.renovatebot.com/renovate-schema.json
• extends: https://docs.renovatebot.com/configuration-options/#extends
• ignorePaths: https://docs.renovatebot.com/configuration-options/#ignorepaths
• rebaseWhen: https://docs.renovatebot.com/configuration-options/#rebasewhen
• vulnerabilityAlerts: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts
• packageRules: https://docs.renovatebot.com/configuration-options/#packagerules
• description: https://docs.renovatebot.com/configuration-options/#description
• matchDepTypes: https://docs.renovatebot.com/configuration-options/#matchdeptypes
• matchUpdateTypes: https://docs.renovatebot.com/configuration-options/#matchupdatetypes
• matchPackageNames: https://docs.renovatebot.com/configuration-options/#matchpackagenames
• groupName: https://docs.renovatebot.com/configuration-options/#groupname

Made with Cursor

---

Summary by cubic

Groups routine non‑major Renovate updates into focused PRs to cut noise and speed reviews. Security advisories stay isolated under vulnerabilityAlerts as security updates.

• Dependencies
  • Group dev-only minor/patch/pin/digest updates as "dev dependency updates".
  • Group React ecosystem: react, react-dom, @types/react, @types/react-dom, next, @next/*.
  • Group tooling: @biomejs/**, @changesets/**, rollup, tsdown, @tsdown/**, tsx, turbo, typescript, vite, vitest.
  • Group GitHub integrations: @actions/**, @octokit/**.

^{Written for commit 1bb0aac. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-email	Ready	Preview, Comment	Apr 17, 2026 3:13pm
react-email-demo	Ready	Preview, Comment	Apr 17, 2026 3:13pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1bb0aac

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.