chore(compliance): align dependabot.yml with frontend standard template

[don-petry]

Summary

• Adds explanatory comments to .github/dependabot.yml to match the org standard template (standards/dependabot/frontend.yml)
• Documents the intentional open-pull-requests-limit: 0 for npm (Dependabot security updates bypass this limit; only version updates are suppressed)

Compliance context

The allow_auto_merge repository setting is already enabled (true) and dependabot-automerge.yml is already in place and matches the org template. This PR closes the compliance finding by confirming and documenting the full Dependabot auto-merge setup.

Closes #91

---

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 42 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 42 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2836051a-be02-47ac-a18c-902ac81ea75c

📥 Commits

Reviewing files that changed from the base of the PR and between 051f051 and 863d009.

📒 Files selected for processing (1)

• .github/dependabot.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-91-20260414-1327

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Updates .github/dependabot.yml to align with the org’s frontend Dependabot standard template by adding clarifying comments about the intended update behavior (notably open-pull-requests-limit: 0 for npm version updates while still allowing security updates).

Changes:

• Added header/template comments explaining the config intent and how npm updates are constrained.
• Added inline comments documenting the rationale for npm (security-only) and GitHub Actions (version updates) entries.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: af806fe040186f2a9d9ae37d0bf6b902f8f3067b
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR adds 7 comment lines to .github/dependabot.yml for documentation alignment with the org standard template — no functional changes at all. All CI checks pass cleanly (SonarCloud: 0 issues/0 hotspots, CodeQL: clean, AgentShield: green). The triage escalation was due to an internal triage failure, not a genuine risk signal in this PR.

Findings

Info

• .github/dependabot.yml:2 — The comment # Copy to .github/dependabot.yml and adjust directory paths as needed is template boilerplate that reads as instructions inside the file it's already deployed in. Consider rewording to # Based on petry-projects/.github/standards/dependabot/frontend.yml or similar.
• (general) — Issue Compliance: allow_auto_merge #91 is a compliance finding about the allow_auto_merge repository setting being null/false, not about dependabot.yml comments. This PR adds comments but does not change the repository setting. If the compliance audit re-runs, it may not close the finding unless the repository setting was already corrected separately (as the PR body asserts).

CI status

All CI checks pass cleanly (SonarCloud: 0 issues/0 hotspots, CodeQL: clean, AgentShield: green).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.