feat: add Dependabot configuration

[DaleSeo]

Summary

Adds Dependabot configuration to automate dependency updates for this repository.

Changes

• Created .github/dependabot.yml with configuration for:
  • npm ecosystem updates (weekly on Mondays)
  • GitHub Actions updates (weekly on Mondays)
  • Grouped updates for Storybook, testing, ESLint, and React packages
• Configured reasonable PR limits to prevent overwhelming the team

Benefits

• Automated dependency updates to keep packages current
• Reduced security vulnerabilities through timely updates
• Grouped updates make reviews more manageable
• Works seamlessly with Bun package manager

Closes #236

Generated with Claude Code

[DaleSeo]

@claude We should use bun instead npm.

[claude]

Claude finished @DaleSeo's task —— View job

---

Analysis

• Read the current Dependabot configuration
• Research Dependabot support for Bun
• Provide guidance on the configuration

Findings

Unfortunately, GitHub Dependabot does not currently support bun as a package-ecosystem value. The supported package ecosystems are:

• bundler (Ruby)
• cargo (Rust)
• composer (PHP)
• docker
• elm
• github-actions
• gomod (Go)
• gradle (Java)
• maven (Java)
• mix (Elixir)
• npm (JavaScript/Node.js)
• nuget (.NET)
• pip (Python)
• terraform
• And a few others, but not bun

Good News

The current configuration using package-ecosystem: "npm" is actually correct and will work perfectly with Bun because:

1. Bun is npm-compatible: Bun reads and respects package.json and package-lock.json (or bun.lockb) files
2. Dependabot updates package.json: When Dependabot creates PRs, it modifies package.json, which Bun will use
3. Standard practice: This is the recommended approach for Bun projects until GitHub adds native Bun support

Recommendation

Keep the current configuration as-is with package-ecosystem: "npm". The comment on line 3 already clarifies this: "Enable version updates for npm (compatible with Bun)".

When Dependabot creates update PRs, you can run bun install to update the bun.lockb file, and everything will work as expected.

Would you like me to update the comment to make it even clearer, or are you comfortable keeping it as-is?

---

[DaleSeo]

#239 스토리북 업그레이드 완료 후에 Dependbot을 활성화 시키겠음

[DaleSeo]

@claude We should use bun instead npm.

[claude]

Claude finished @DaleSeo's task —— View job

---

Analysis

• Read current Dependabot configuration
• Verify current ecosystem setting
• Provide clarification

---

Findings

Good news! I can see that the .github/dependabot.yml file has already been updated to use package-ecosystem: "bun" (line 3).

Current Configuration:

- package-ecosystem: "bun"
  directory: "/"
  schedule:
    interval: "weekly"
    day: "monday"

Important Note About Bun Support

While the configuration now uses "bun", I should mention that GitHub Dependabot's native support for Bun is relatively recent. According to GitHub's documentation, bun was added as a supported package ecosystem.

The current configuration looks correct and should work properly with your Bun-based project. Dependabot will:

• Read your package.json
• Create PRs to update dependencies
• Work with Bun's lockfile (bun.lockb)

Summary

✅ The configuration is already using package-ecosystem: "bun" as requested
✅ No changes needed - the file is correctly set up for your Bun project

---