chore(example-apps/react-js): bump the all-deps group across 1 directory with 13 updates

[dependabot]

Bumps the all-deps group with 13 updates in the /example-apps/react-js directory:

Package	From	To
@tanstack/react-query	5.100.11	5.101.0
html-react-parser	6.1.1	6.1.3
lucide-react	1.16.0	1.18.0
react	19.2.6	19.2.7
@types/react	19.2.14	19.2.17
react-dom	19.2.6	19.2.7
react-router-dom	7.15.1	7.17.0
react-tooltip	6.0.4	6.0.7
@vitest/coverage-v8	4.1.7	4.1.9
eslint	10.2.1	10.5.0
eslint-plugin-react-refresh	0.5.2	0.5.3
vite	8.0.14	8.0.16
vitest	4.1.7	4.1.9

Updates @tanstack/react-query from 5.100.11 to 5.101.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-next-experimental@​5.101.0

Patch Changes

• #10857 7cf5923 - fix(react-query-next-experimental): replace deprecated 'isServer' with 'environmentManager.isServer()'

• Updated dependencies []:

  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-persist-client@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

Commits

• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (#10755)
• See full diff in compare view

Updates html-react-parser from 6.1.1 to 6.1.3

Release notes

Sourced from html-react-parser's releases.

v6.1.3

6.1.3 (2026-05-31)

Build System

• deps: bump html-dom-parser from 7.1.0 to 8.0.0 (#2261) (6cec8ca)

v6.1.2

6.1.2 (2026-05-22)

Build System

• deps: bump style-to-js from 1.1.21 to 2.0.0 (#2257) (c55e094)

Changelog

Sourced from html-react-parser's changelog.

6.1.3 (2026-05-31)

Build System

• deps: bump html-dom-parser from 7.1.0 to 8.0.0 (#2261) (6cec8ca)

6.1.2 (2026-05-22)

Build System

• deps: bump style-to-js from 1.1.21 to 2.0.0 (#2257) (c55e094)

Commits

• c7df5c3 Merge pull request #2267 from remarkablemark/release-please--branches--master...
• 519e59a chore(master): release 6.1.3
• 6cec8ca build(deps): bump html-dom-parser from 7.1.0 to 8.0.0 (#2261)
• eae73e6 build(deps-dev): bump eslint in the eslint group across 1 directory (#2264)
• 0681c1e build(deps-dev): bump lint-staged from 17.0.5 to 17.0.7 (#2266)
• 02bbd2d build(deps-dev): bump @​arethetypeswrong/cli from 0.18.2 to 0.18.3 (#2265)
• e650321 build(deps-dev): bump the commitlint group with 2 updates (#2263)
• 7309166 build(deps-dev): bump eslint-plugin-prettier in the eslint group (#2262)
• 668b359 build(deps-dev): bump typescript-eslint in the eslint group (#2260)
• 034837e Merge pull request #2259 from remarkablemark/dependabot/github_actions/github...
• Additional commits viewable in compare view

Updates lucide-react from 1.16.0 to 1.18.0

Release notes

Sourced from lucide-react's releases.

Version 1.18.0

What's Changed

• chore(site): Remove survey from site by @​ericfennis in lucide-icons/lucide#4417
• feat(icons): added play-off icon by @​Ahmed-Dghaies in lucide-icons/lucide#4412
• fix(metadata): add missing use-cases prop on play-off.json by @​karsa-mistmere in lucide-icons/lucide#4423
• fix(docs): force hide #bb-banner, if html.has-bb-banner is missing by @​karsa-mistmere in lucide-icons/lucide#4422
• fix(docs): Remove @next from installation instructions for@lucide/svelte by @​alecglassford in lucide-icons/lucide#4432
• feat(packages/angular): add support for Angular v22 and onwards by @​karsa-mistmere in lucide-icons/lucide#4450
• fix(ci): add check to skip release if latest tag was created today by @​ericfennis in lucide-icons/lucide#4085
• feat(icons): added webcam-off icon by @​jordan-burnett in lucide-icons/lucide#4242

New Contributors

• @​alecglassford made their first contribution in lucide-icons/lucide#4432
• @​jordan-burnett made their first contribution in lucide-icons/lucide#4242

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Commits

• See full diff in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates @types/react from 19.2.14 to 19.2.17

Commits

• See full diff in compare view

Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates react-router-dom from 7.15.1 to 7.17.0

Changelog

Sourced from react-router-dom's changelog.

v7.17.0

Patch Changes

• Updated dependencies:
  • react-router@7.17.0

v7.16.0

Patch Changes

• Remove stale/invalid unpkg field from package.json. This was removed from other packages with the release of v7 but missed in the react-router-dom re-export package (#15075)
• Updated dependencies:
  • react-router@7.16.0

Commits

• 195a0d0 Release v7.17.0 (#15145)
• 8984d23 Release v7.16.0 (#15105)
• 3ed77af chore: format
• e96962b fix: remove stale unpkg field from react-router-dom (#15075)
• See full diff in compare view

Updates react-tooltip from 6.0.4 to 6.0.7

Release notes

Sourced from react-tooltip's releases.

v6.0.7

If you like ReactTooltip, please give the project a star on GitHub 🌟

What's Changed

• fix: support anchor elements with dataset capability instead of only HTMLElement by @​danielbarion in ReactTooltip/react-tooltip#1280

Full Changelog: ReactTooltip/react-tooltip@v6.0.6...v6.0.7

v6.0.6

If you like ReactTooltip, please give the project a star on GitHub 🌟

What's Changed

• fix: delegated event listener by @​danielbarion in ReactTooltip/react-tooltip#1278

Full Changelog: ReactTooltip/react-tooltip@v6.0.5...v6.0.6

v6.0.5

If you like ReactTooltip, please give the project a star on GitHub 🌟

What's Changed

• fix: open tooltip on click when anchor stops propagation by @​danielbarion in ReactTooltip/react-tooltip#1275

Full Changelog: ReactTooltip/react-tooltip@v6.0.4...v6.0.5

Commits

• 1099ad1 chore: bump version 6.0.7
• 06fa619 docs: update react tooltip version to match 6.x range instead of hard coded
• 2dafd9f Merge pull request #1280 from ReactTooltip/fix/anchor-elements-type
• 53ba78a fix: support anchor elements with dataset capability instead of only HTMLElement
• 4cc9054 docs: bump react-tooltip version to 6.0.6 for V6 docs
• d4ab374 chore: bump version 6.0.6
• a125115 Merge pull request #1278 from ReactTooltip/fix/delegated-event-listener
• 58511a9 fix: delegated event listener
• af0a01a chore: bump version 6.0.5
• 4c94ab8 chore: remove matrix of react version
• Additional commits viewable in compare view

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.9

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• See full diff in compare view

Updates eslint from 10.2.1 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

• 8ae1b5b docs: Update README (GitHub Actions Bot)
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
• f99b47a docs: Update README (GitHub Actions Bot)
• acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

• b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
• c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
• 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
• 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
• 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
• 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
• 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
• 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
• cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
• fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)

v10.4.1

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)

... (truncated)

Commits

• de3b672 10.5.0
• 362a518 Build: changelog update for 10.5.0
• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973)
• b565783 feat: report no-with violations at the with keyword (#20971)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967)
• f9c138a feat: report max-depth violations on keywords (#20943)
• 8ae1b5b docs: Update README
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962)
• b18bf58 chore: update ecosystem plugins (#20959)
• Additional commits viewable in compare view

Updates eslint-plugin-react-refresh from 0.5.2 to 0.5.3

Release notes

Sourced from eslint-plugin-react-refresh's releases.

v0.5.3

• Fix check for non component class exported via export { } #110 (fixes #109)

Changelog

Sourced from eslint-plugin-react-refresh's changelog.

0.5.3

• Fix check for non component class exported via export { } #110 (fixes #109)

Commits

• 00818e9 v0.5.3 [publish]
• 202fc4a Fix PascalCase class exported via export { Name } incorrectly treated as Re...
• See full diff in compare view

Updates vite from 8.0.14 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

Updates vitest from 4.1.7 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Ryan-Millard]

@coderabbitai this PR's workflows failed because the pnpm lock file wasn't updated by dependabot. What is the best way to fix this?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@Ryan-Millard The cleanest way to fix this is to manually regenerate the pnpm-lock.yaml file on the Dependabot branch. Here are your options, from easiest to most manual:

---

Option 1: Ask Dependabot to rebase (quickest try)

Comment on the PR:

`@dependabot` rebase

This may regenerate the lockfile if Dependabot's pnpm support handles it. However, Dependabot's pnpm lockfile support has historically been unreliable, so this may not work.

---

Option 2: Manually update the lockfile (most reliable)

# Check out the Dependabot branch locally
git fetch origin
git checkout dependabot/npm_and_yarn/example-apps/react-js/all-deps-<suffix>

# Navigate to the React app directory and regenerate the lockfile
cd example-apps/react-js
pnpm install

# Commit and push the updated lockfile
git add pnpm-lock.yaml
git commit -m "chore: update pnpm lockfile"
git push

---

Option 3: Add a CI step to auto-fix (long-term solution)

If this is a recurring issue, you can add a workflow step that runs pnpm install --frozen-lockfile to catch mismatches early, or even a dedicated workflow that auto-commits the lockfile when Dependabot opens a PR.

---

Option 2 is the most reliable for a one-off fix. The root cause is that Dependabot has limited native support for pnpm lockfiles and may only update package.json without properly regenerating pnpm-lock.yaml.

[Ryan-Millard]

Tip

For best results, initiate chat on the files or code changes.

@Ryan-Millard The cleanest way to fix this is to manually regenerate the pnpm-lock.yaml file on the Dependabot branch. Here are your options, from easiest to most manual:

Option 1: Ask Dependabot to rebase (quickest try)

Comment on the PR:

`@dependabot` rebase

This may regenerate the lockfile if Dependabot's pnpm support handles it. However, Dependabot's pnpm lockfile support has historically been unreliable, so this may not work.

Option 2: Manually update the lockfile (most reliable)

# Check out the Dependabot branch locally
git fetch origin
git checkout dependabot/npm_and_yarn/example-apps/react-js/all-deps-<suffix>

# Navigate to the React app directory and regenerate the lockfile
cd example-apps/react-js
pnpm install

# Commit and push the updated lockfile
git add pnpm-lock.yaml
git commit -m "chore: update pnpm lockfile"
git push

Option 3: Add a CI step to auto-fix (long-term solution)

If this is a recurring issue, you can add a workflow step that runs pnpm install --frozen-lockfile to catch mismatches early, or even a dedicated workflow that auto-commits the lockfile when Dependabot opens a PR.

Option 2 is the most reliable for a one-off fix. The root cause is that Dependabot has limited native support for pnpm lockfiles and may only update package.json without properly regenerating pnpm-lock.yaml.

@coderabbitai create an issue to track the long-term resolution of that as well as get dependabot to open PRs against the dev branch and not the main branch since we merge into dev as a buffer before main.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

gh issue create \
  --repo "Ryan-Millard/Img2Num" \
  --title "chore: fix Dependabot config — target \`dev\` branch and auto-regenerate pnpm lockfile" \
  --assignee "Ryan-Millard" \
  --body "## Overview

Two related Dependabot/CI issues were identified in PR `#435` and the discussion in [this comment](https://github.com/Ryan-Millard/Img2Num/pull/435#issuecomment-0):

---

## Problem 1 — Dependabot targets \`main\` instead of \`dev\`

The project uses \`dev\` as an integration buffer before merging into \`main\`, but Dependabot is currently configured to open PRs directly against \`main\`. This bypasses the normal review/integration flow.

**Fix:** Update \`.github/dependabot.yml\` to set \`target-branch: dev\` for all ecosystems.

---

## Problem 2 — Dependabot does not regenerate \`pnpm-lock.yaml\`

Dependabot has [limited native pnpm lockfile support](https://github.com/dependabot/dependabot-core/issues/1736) and only updates \`package.json\`, leaving \`pnpm-lock.yaml\` out of sync. This causes CI workflows to fail on Dependabot PRs.

**Fix options (pick one or combine):**
1. Add a GitHub Actions workflow that triggers on Dependabot PRs, runs \`pnpm install\` in the relevant workspace directory, and commits the updated lockfile back to the branch.
2. Alternatively, use \`--no-frozen-lockfile\` in CI only for Dependabot branches, then commit the result.

A minimal workflow example:
\`\`\`yaml
name: Fix pnpm lockfile on Dependabot PRs
on:
  pull_request:
    branches: [dev]

jobs:
  update-lockfile:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: \${{ github.head_ref }}
          token: \${{ secrets.GITHUB_TOKEN }}
      - uses: pnpm/action-setup@v4
      - uses: actions/setup-node@v4
        with:
          node-version: lts/*
          cache: pnpm
      - name: Regenerate lockfile
        run: pnpm install --no-frozen-lockfile
        working-directory: example-apps/react-js
      - name: Commit updated lockfile
        run: |
          git config user.name 'github-actions[bot]'
          git config user.email 'github-actions[bot]`@users.noreply.github.com`'
          git add example-apps/react-js/pnpm-lock.yaml
          git diff --cached --quiet || git commit -m 'chore: regenerate pnpm lockfile'
          git push
\`\`\`

---

## Acceptance Criteria

- [ ] \`.github/dependabot.yml\` updated so all Dependabot PRs target \`dev\`
- [ ] CI workflow (or equivalent) ensures \`pnpm-lock.yaml\` is always in sync on Dependabot PRs
- [ ] Existing Dependabot PRs against \`main\` are closed/redirected after config change

Requested by `@Ryan-Millard` via PR `#435`."

Length of output: 2859

---

---

@Ryan-Millard Issue #436 has been created: #436

It tracks both items with acceptance criteria:

• Update .github/dependabot.yml to target dev for all ecosystems
• Add a workflow to auto-regenerate pnpm-lock.yaml on Dependabot PRs
• Close/redirect any existing Dependabot PRs that targeted main

(ᵔ◡ᵔ)🐇