Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This automatically enables Dependabot to: * Submit pull requests for security updates and version updates for Composer dependencies. * Submit pull requests for security updates and version updates for GH Action runner dependencies. For Composer dependencies, a preference is given to _widen_ the version restrictions instead of updating them to a new minimum. This is a deliberate choice as this package is a library, not an application. The configuration has been set up to: * Run once a week. * Submit a maximum of 5 pull requests at a time. If additional pull requests are needed, these will subsequently be submitted the next time Dependabot runs after one or more of the open pull requests have been merged. * The commit messages for PRs submitted by Dependabot will be prefixed according the unofficial conventions used in this repo up to now. * The PRs will automatically be labelled with an appropriate label as already in use in this repo. Additionally, for Composer updates, I've applied the following restrictions: * Only allow updates for "dev" dependencies, as non-dev dependencies (PHPCS, Composer Installers) will need a code review and likely warrant code changes. * Ignore major releases of the PHPUnit Polyfills package (= new PHPUnit major) as those generally require a managed update of the test suite. Refs: * https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file * https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy
- Loading branch information