Summary
Enable Dependabot on the repo to keep jsdom (the only devDependency) up to date automatically and get alerts for any future vulnerabilities.
Setup steps
-
Enable in repo settings → Settings → Code security:
- Dependency graph
- Dependabot alerts
- Dependabot security updates
-
Add .github/dependabot.yml for version updates:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- Commit and push — Dependabot will open PRs automatically when new versions of
jsdom are released.
Notes
- Only one devDep (
jsdom) so update noise will be minimal
- Security updates (vuln patches) are separate from version updates and trigger immediately when a CVE is published
- The pre-commit hook (
npm run build && npm test) will gate any Dependabot PRs through CI before merge
Summary
Enable Dependabot on the repo to keep
jsdom(the only devDependency) up to date automatically and get alerts for any future vulnerabilities.Setup steps
Enable in repo settings → Settings → Code security:
Add
.github/dependabot.ymlfor version updates:jsdomare released.Notes
jsdom) so update noise will be minimalnpm run build && npm test) will gate any Dependabot PRs through CI before merge