From 8efb5b68f624a3c9ebd7924c7268df45945886c1 Mon Sep 17 00:00:00 2001
From: Brian Shand <Brian.Shand@nhs.net>
Date: Fri, 20 Feb 2026 09:45:25 +0000
Subject: [PATCH] Dependabot should ignore npm packages, and only update ruby
 gems

---
 .github/dependabot.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 255a42f7..e564f794 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,3 +11,12 @@ updates:
       interval: "daily"
     vendor: true
     open-pull-requests-limit: 0 # Disable gem updates. Does not affect security updates.
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Ignore all npm updates, because we have our own GitHub Actions solution using yarn audit
+    # and because Dependabot does not populate vendor/npm-packages-offline-cache/
+    exclude-paths:
+      - "*"
+    open-pull-requests-limit: 0 # Disable version updates for npm dependencies