[dependabot] Pin Vue 2.x and ecosystem to prevent major version upgrade PRs

Tim020 · claude · Tim020 · commit 84e824f38e61 · 2026-03-03T23:03:42.000Z
The update-types ignore condition only applies to version updates, not
security updates. Dependabot was raising PRs to upgrade Vue 2→3 via
grouped security update PRs (which bypass update-types filters and always
target the default branch). Add explicit versions conditions for vue,
vue-router, and vuex to block these upgrades from both update types.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,6 +5,15 @@ updates:
     schedule:
       interval: "daily"
     ignore:
+      # Pinned to Vue 2.x - upgrading to Vue 3 requires a full application rewrite.
+      # versions condition applies to both version updates AND security updates,
+      # unlike update-types which only applies to version updates.
+      - dependency-name: "vue"
+        versions: [">=3.0.0"]
+      - dependency-name: "vue-router"
+        versions: [">=4.0.0"]
+      - dependency-name: "vuex"
+        versions: [">=5.0.0"]
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
     versioning-strategy: increase
