# Dependabot configuration for automated dependency updates
# Critical: CVE-2025-55182 compromise was caused by delayed security updates
version: 2

updates:
  # npm (pnpm) dependencies - daily checks for security-critical updates
  - package-ecosystem: "npm"
    directory: "/"
    target-branch: "develop"
    schedule:
      interval: "daily"
      time: "04:00"
      timezone: "Europe/Berlin"
    labels:
      - "dependencies"
    # pnpm is auto-detected via lockfile
    versioning-strategy: "increase"
    open-pull-requests-limit: 20
    groups:
      payload-core:
        patterns:
          - "@payloadcms/*"
          - "payload"
          - "payload-oapi"
        update-types:
          - "minor"
          - "patch"
      react-nextjs:
        patterns:
          - "react"
          - "react-dom"
          - "next"
          - "@types/react"
          - "@types/react-dom"
          - "eslint-config-next"
        update-types:
          - "minor"
          - "patch"
      fullcalendar:
        patterns:
          - "@fullcalendar/*"
        update-types:
          - "minor"
          - "patch"
      dev-dependencies:
        dependency-type: "development"
        update-types:
          - "minor"
          - "patch"
        exclude-patterns:
          - "@types/react"
          - "@types/react-dom"
          - "eslint-config-next"
    commit-message:
      prefix: "deps"
      prefix-development: "deps(dev)"
      include: "scope"

  # GitHub Actions - weekly updates
  - package-ecosystem: "github-actions"
    directory: "/"
    target-branch: "develop"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "04:00"
      timezone: "Europe/Berlin"
    labels:
      - "dependencies"
    commit-message:
      prefix: "deps(actions)"