ci(dependabot): restore cargo PR limit so security PRs flow (#45)

hyperpolymath · web-flow · commit 46839ce6ab1d · 2026-05-12T23:11:52.000+02:00
Propagates rsr-template-repo#37 fix. `open-pull-requests-limit: 0` on
the cargo block was empirically suppressing Dependabot **security** PRs
estate-wide (not just version updates as the previous comment claimed).
Restoring to `10` with grouped minor/patch updates to keep noise
contained while letting security advisories flow.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -18,6 +18,13 @@ updates:
     # `ignore: "*" patch` rule also silenced security PRs under GitHub\'s
     # current Dependabot behaviour. See rsr-template-repo commit 78b050e
     # and 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md.
-    open-pull-requests-limit: 0
+    open-pull-requests-limit: 10
+    groups:
+      cargo:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
   
-  # Note: npm/pip removed per RSR - use Deno (deno.json) for JS, Julia/Rust for data processing
+  # Note: npm/pip removed per RSR - use Deno (deno.json) for JS, Julia/Rust for data processing
