chore: Add Dependabot version-update cooldown

[ld-repository-standards]

This pull request was auto generated by the LaunchDarkly Github Standards automation platform.

• Ensure every entry under updates in .github/dependabot.yml declares a cooldown of at least 7 days (default-days).
• Add entries for detected package ecosystems that were not yet tracked by Dependabot.

Cooldown applies only to version updates; security updates bypass it, so critical CVE fixes are never delayed.

Ref: SEC-8058.

---

Note

Low Risk
CI-only configuration with no runtime or application code changes; only affects how and when Dependabot opens update PRs.

Overview
Introduces .github/dependabot.yml to automate dependency updates across the monorepo.

Each update entry uses a weekly schedule and a cooldown.default-days: 7 so version-update PRs are spaced out; security updates are not subject to this cooldown (per Dependabot behavior). Coverage includes GitHub Actions at the repo root and npm for the root plus many packages/ paths (SDKs, AI providers, shared libs, stores, telemetry, tooling, and examples).

This aligns with org standards (SEC-8058): newly detected npm workspaces get their own entries instead of relying on a partial config.

^{Reviewed by Cursor Bugbot for commit 5698b08. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

@launchdarkly/js-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 26365 bytes
Compressed size limit: 29000
Uncompressed size: 129044 bytes

[github-actions]

@launchdarkly/js-client-sdk size report
This is the brotli compressed size of the ESM build.
Compressed size: 31978 bytes
Compressed size limit: 34000
Uncompressed size: 114243 bytes

[github-actions]

@launchdarkly/js-client-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 38739 bytes
Compressed size limit: 39000
Uncompressed size: 212244 bytes

[github-actions]

@launchdarkly/browser size report
This is the brotli compressed size of the ESM build.
Compressed size: 179579 bytes
Compressed size limit: 200000
Uncompressed size: 831422 bytes

[cursor]

Duplicate npm Dependabot coverage

Medium Severity

The file registers npm version updates at the repo root and again for each Yarn workspace package.json. For this monorepo, a root npm entry already scans every workspace listed in the root package.json, so the per-package entries largely repeat the same scope and can produce overlapping Dependabot PRs for the same dependency.

Additional Locations (1)

• .github/dependabot.yml#L14-L20

 

^{Reviewed by Cursor Bugbot for commit f629fdc. Configure here.}

[cursor]

Renovate and Dependabot overlap

Medium Severity

This commit adds a github-actions Dependabot entry while renovate.json still extends the recommended preset and keeps GitHub Actions updates enabled (only npm is disabled). If Renovate remains installed on the repo, both bots can propose the same workflow action bumps.

 

^{Reviewed by Cursor Bugbot for commit f629fdc. Configure here.}

[joker23]

Need to reassess.

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5698b08. Configure here.}

[cursor]

Dependabot path missing package

Low Severity

The npm update entry points at /packages/sdk/react/examples/testing, but that directory is not in the repo and has no package.json. Dependabot cannot run version updates for that block, so the job fails or shows a persistent configuration error while other entries keep working.

 

^{Reviewed by Cursor Bugbot for commit 5698b08. Configure here.}