From 6a973f43fbbd53780feb58d97962a6bbcc2744f5 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Wed, 25 Mar 2026 11:34:49 +0000
Subject: [PATCH] chore(deps): ignore major version bumps in dependabot

Major bumps of devDeps (eslint, typescript, prettier) need manual config
migration and provide no value for conformance testing. Security updates
still come through regardless; scheduled updates are now minor/patch only.
---
 .github/dependabot.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9d1dc11..77cff36 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,9 @@
 version: 2
 
+# Security updates always come through regardless of these settings.
+# Scheduled (non-security) updates are limited to minor/patch only —
+# major bumps of devDeps like eslint/typescript are manual decisions.
+
 updates:
   - package-ecosystem: npm
     directory: /
@@ -9,6 +13,9 @@ updates:
       all-dependencies:
         patterns:
           - '*'
+    ignore:
+      - dependency-name: '*'
+        update-types: ['version-update:semver-major']
 
   - package-ecosystem: npm
     directory: /examples/servers/typescript
@@ -18,6 +25,9 @@ updates:
       all-dependencies:
         patterns:
           - '*'
+    ignore:
+      - dependency-name: '*'
+        update-types: ['version-update:semver-major']
 
   - package-ecosystem: github-actions
     directory: /
@@ -27,3 +37,6 @@ updates:
       all-actions:
         patterns:
           - '*'
+    ignore:
+      - dependency-name: '*'
+        update-types: ['version-update:semver-major']