From 4423dc9789d80055404517e0c34e0c62cc72f2e0 Mon Sep 17 00:00:00 2001
From: Youssef Raafat <yraafat@instabug.com>
Date: Wed, 11 Jan 2023 14:57:33 +0200
Subject: [PATCH] [SEC-3364] Remove Dependabot (#883)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dependabot alerts are not applied to the users’ apps for the following reasons:
 1. We do not have any actual dependencies in our SDK, just peer and dev dependencies, which do not get installed in the user apps.
 2. Supposedly we had a dependency in the future, the package manager will not respect the versions in our yarn.lock, since the dependency resolution will be done in the user’s app according to our package.json not yarn.lock. (*)

References:
(*): A comment by one of Yarn creators, explaining the dependency resolution in an app vs a library: yarnpkg/yarn#838
---
 .github/dependabot.yml | 10 ----------
 1 file changed, 10 deletions(-)
 delete mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 50b4a4abd..000000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-version: 2
-
-updates:
-  - package-ecosystem: npm
-    directory: /
-    schedule:
-      interval: weekly
-    ignore:
-      - dependency-name: '*'
-        update-types: [version-update:semver-major]