chore: add dependabot config

[yakimoto]

Adds weekly Dependabot updates for npm dependencies in all three example directories.

---

Summary by cubic

Adds .github/dependabot.yml to enable weekly npm updates via Dependabot for /sdk-quickstart, /mcp-server-setup, and /adk-hello-agent, keeping example dependencies up to date automatically.

^{Written for commit 796f2b9. Summary will update on new commits.}

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Set up automated weekly dependency updates to maintain package security and stability across the project.

Walkthrough

A new Dependabot configuration file was added to enable automated weekly dependency updates across three npm package directories: /sdk-quickstart, /mcp-server-setup, and /adk-hello-agent. This sets up automated version management for external dependencies in these projects.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Added configuration to enable weekly automated dependency updates for npm packages in three separate directories: /sdk-quickstart, /mcp-server-setup, and /adk-hello-agent.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit's ode to automation

With Dependabot's gentle care,
Dependencies stay fresh and fair,
Weekly updates, smooth and neat,
Three projects march in perfect beat! 📦✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a Dependabot configuration file. It is concise, clear, and directly reflects the changeset.
Description check	✅ Passed	The description clearly explains the purpose of the changes: adding Dependabot configuration for weekly npm updates across three example directories. It is relevant and informative.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-dependabot

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

This review could not be run because your cubic account has reached a review limit. If you need help restoring access, please contact contact@cubic.dev.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 3-14: The dependabot config contains an entry for
/mcp-server-setup but that directory lacks a package.json so Dependabot will
fail; either remove the /mcp-server-setup stanza from .github/dependabot.yml or
add a valid package.json to /mcp-server-setup so npm updates can run, and for
the remaining entries (e.g., /sdk-quickstart and /adk-hello-agent) add an
open-pull-requests-limit setting (open-pull-requests-limit: 10) and optional
grouping rules to batch updates by type to reduce PR noise.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: baeb20f2-5848-416a-957d-7418e6cabc61

📥 Commits

Reviewing files that changed from the base of the PR and between 3f7d3b6 and 796f2b9.

📒 Files selected for processing (1)

• .github/dependabot.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Seer Code Review

🧰 Additional context used

🔍 Remote MCP

Now let me search for specific considerations about managing multiple npm directories with Dependabot:## Summary of Relevant Context for PR Review

Based on research into Dependabot npm configuration best practices and multi-directory setups, here are the key facts relevant to reviewing this PR:

Configuration Approach Appropriateness

The PR's weekly schedule interval is valid—Dependabot requires the schedule.interval field to be set to daily, weekly, monthly, quarterly, semiannually, yearly, or cron. Weekly checks are a reasonable frequency choice and can be preferred by teams to better organize time and resources for reviewing and addressing version updates.

Multi-Directory npm Configuration

GitHub Dependabot now supports using a directories key to list multiple directories for the same ecosystem configuration in the dependabot.yml file. However, the current configuration approach of creating separate entries for each directory is still valid—developers can still explicitly enumerate configurations for the same ecosystem using the directory key.

Known Considerations for Multiple npm Directories

Potential Issue: When using separate npm directories (particularly with npm workspaces or monorepos), Dependabot may only update the package.json file in individual folders but potentially not sync lockfiles correctly at the workspace root level. This is relevant if /sdk-quickstart, /mcp-server-setup, and /adk-hello-agent are workspace packages or share a root lockfile.

Best Practice for Noise Reduction: For monorepo-style configurations with multiple directories, teams should consider using Dependabot's grouping feature to group updates by dependency name across directories, which creates a single pull request instead of separate ones per directory.

PR Volume Consideration

While weekly schedules work for small projects, enterprise codebases may need more stability through monthly or quarterly checks; batching updates reduces integration overhead. The reviewer should consider whether weekly updates across three directories may create excessive PR volume for the team.

🔇 Additional comments (1)

.github/dependabot.yml (1)

1-2: LGTM: Valid Dependabot v2 configuration.

The version and root structure are correct.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for workspace configuration in package.json files

echo "=== Checking for npm workspace setup ==="

# Check root package.json for workspaces field
if [ -f package.json ]; then
  echo "Root package.json:"
  cat package.json | jq -r 'if .workspaces then "Workspaces: \(.workspaces)" else "No workspaces field" end'
fi

echo -e "\n=== Checking each directory's package.json ==="
for dir in sdk-quickstart mcp-server-setup adk-hello-agent; do
  if [ -f "$dir/package.json" ]; then
    echo -e "\n$dir/package.json exists"
    cat "$dir/package.json" | jq -r '.name // "no name"' | sed 's/^/  Package name: /'
  else
    echo -e "\n$dir/package.json NOT FOUND"
  fi
done

echo -e "\n=== Checking for lockfiles ==="
fd -t f 'package-lock.json|yarn.lock|pnpm-lock.yaml' -x echo "Found: {}"

Repository: wave-av/examples

Length of output: 430

---

Remove /mcp-server-setup from Dependabot configuration or add a package.json file to that directory.

The configuration for /mcp-server-setup will not work—Dependabot requires a package.json file in each configured directory to manage dependencies. Only /sdk-quickstart and /adk-hello-agent have package.json files.

To fix:

1. Either remove the /mcp-server-setup entry from .github/dependabot.yml
2. Or add a package.json file to /mcp-server-setup if it should have npm dependencies managed

Additionally, consider these improvements for the remaining directories:

• Add open-pull-requests-limit to prevent excessive simultaneous PRs:

- package-ecosystem: npm
  directory: /sdk-quickstart
  schedule:
    interval: weekly
  open-pull-requests-limit: 10

• Add grouping rules to batch dependency updates by type and reduce PR noise

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 3 - 14, The dependabot config contains
an entry for /mcp-server-setup but that directory lacks a package.json so
Dependabot will fail; either remove the /mcp-server-setup stanza from
.github/dependabot.yml or add a valid package.json to /mcp-server-setup so npm
updates can run, and for the remaining entries (e.g., /sdk-quickstart and
/adk-hello-agent) add an open-pull-requests-limit setting
(open-pull-requests-limit: 10) and optional grouping rules to batch updates by
type to reduce PR noise.