Add local .npmrc and re-enable dependabot

 - allow only security updates
 - 14 days delay for github actions

Author: vm-orbit

.github/dependabot.yml

@@ -3,23 +3,25 @@
 # Please see the documentation for all configuration options:
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 
-# dependabot is disabled due to recent supply chan attacks
-# all updates are manual until further notice from maintainer
-# version: 2
-# updates:
-#   - package-ecosystem: "npm" # See documentation for possible values
-#     directory: "/" # Location of package manifests
-#     schedule:
-#       interval: "weekly"
-#     ignore:
-#       - dependency-name: "@types/node"
-#       - dependency-name: "typedoc"
-#     cooldown:
-#       default-days: 14
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "@types/node"
+      - dependency-name: "typedoc"
+    # cooldown:
+    #   default-days: 14
+    #   semver-major-days: 14
+    #   semver-minor-days: 14
+    #   semver-patch-day: 5
+    open-pull-requests-limit: 0 # only security updates
 
-#   - package-ecosystem: "github-actions" # See documentation for possible values
-#     directory: "/" # Location of package manifests
-#     schedule:
-#       interval: "weekly"
-#     cooldown:
-#       default-days: 14
+  - package-ecosystem: "github-actions" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 14

.npmrc

@@ -0,0 +1,2 @@
+min-release-age=5
+ignore-scripts=true