ci(deps): group all Bun updates, ignore majors, pin vue-router

[roziscoding]

Why

Dependabot opened 8 PRs in the last batch. Two structural problems caused it:

1. Per-member directory scanning (/apps/*, /packages/*) on a single-lockfile Bun workspace produced isolated package.json edits that left the shared root bun.lock stale → bun install --frozen-lockfile failed, and duplicated bumps the root scan already makes. (Already fixed on main in b635516 — scan only /.)
2. Majors are never grouped, so each major got its own PR (vue-router×2, typescript×2, antfu×1).

This branch finishes the cleanup.

Changes

• dependabot.yml — collapse prod+dev into a single all-dependencies group (one weekly PR for the whole workspace), and ignore all major-version bumps. Security updates still apply; majors get handled deliberately by hand.
• apps/ui vue-router pin — was ^4.5.1, but nuxt@4.x depends on vue-router ^5.1.0. The stale pin forced a second, unused v4 copy alongside Nuxt's v5. Pin ^5.1.0 to match Nuxt (now safe from surprise majors via the ignore rule). Lockfile regenerated → single vue-router@5.1.0, no v4 anywhere.

Verification

• bun install --frozen-lockfile — clean
• nuxt typecheck (apps/ui) — exits 0, zero errors

Follow-ups (not in this PR)

• Config only affects Dependabot's next run; existing open PRs won't regroup. Close the broken per-member ones (chore(dev-deps): bump @antfu/eslint-config from 7.7.3 to 9.1.0 in /apps/backend #42, chore(dev-deps): bump typescript from 5.9.3 to 6.0.3 in /apps/ui #43), re-run chore(deps): bump the production-dependencies group across 4 directories with 10 updates #54's e2e, fix chore(dev-deps): bump the development-dependencies group across 3 directories with 3 updates #55's lockfile.
• chore(deps): bump vue-router from 4.6.4 to 5.1.0 #40 (vue-router 4→5) is superseded by this branch — close once merged.
• github-actions Dependabot block left untouched (already one grouped PR; its majors are SHA-pinned bumps you generally want).

Greptile Summary

This PR tightens dependency update handling for the Bun workspace. The main changes are:

• One grouped Dependabot PR for Bun dependency updates.
• Scheduled major dependency updates ignored for manual handling.
• apps/ui aligned to Nuxt's vue-router ^5.1.0 dependency.
• The Bun lockfile regenerated for the new router resolution.

Confidence Score: 5/5

This looks safe to merge.

• No blocking issues found in the changed code.
• The router pin matches Nuxt's own dependency.
• The lockfile keeps incompatible Babel versions separated through nested resolutions.
• The remaining note is a small Dependabot commit-label cleanup.

_{Reviews (1): Last reviewed commit: "chore(ui): align vue-router with Nuxt's ..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

Context used (5)

• Context used - packages/schemas/CLAUDE.md (source)
• Context used - CLAUDE.md (source)
• Context used - Use Bun instead of Node.js, npm, pnpm, or vite. (source)
• Context used - apps/backend/CLAUDE.md (source)
• Context used - AGENTS.md (source)