Bump the production-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the production-dependencies group with 9 updates in the / directory:

Package	From	To
bandit	1.10.4	1.11.1
ecto_sql	3.13.5	3.14.0
finch	0.21.0	0.22.0
phoenix	1.8.5	1.8.8
phoenix_live_view	1.1.28	1.2.1
req	0.5.17	0.6.1
swoosh	1.25.0	1.26.1
tailwind	0.4.1	0.5.0
thousand_island	1.4.3	1.5.0

Updates bandit from 1.10.4 to 1.11.1

Changelog

Sourced from bandit's changelog.

1.11.1 (13 May 2026)

Fixes

• Improve handling of large chunked request bodies (CVE-2026-39803, #585, thanks @​PJUllrich & @​maennchen!)
• Improve handling of request trailers (CVE-2026-39806, #585, thanks @​PJUllrich & @​maennchen!)

Changes

• We no longer disallow . and .. path components in HTTP/2 absolute paths (#581)

1.11.0 (1 May 2026)

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

• The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
• Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
• Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
• We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)

Commits

• 40a1b8f Version bump to 1.11.1
• 37b84cf Bump ex_doc from 0.40.1 to 0.40.2 (#583)
• 8ff6078 Bump telemetry from 1.4.1 to 1.4.2 (#584)
• ae3520d Improve chunk handling (#585)
• 0f56e10 Stop handling . and .. paths specially (#581)
• e626198 Version bump to 1.11.0
• 014c157 Tweaks to Autobahn test suite
• 1e8e559 Merge commit from fork
• 45feea2 Merge commit from fork
• f2ca636 Merge commit from fork
• Additional commits viewable in compare view

Updates ecto_sql from 3.13.5 to 3.14.0

Changelog

Sourced from ecto_sql's changelog.

v3.14.0 (2026-05-19)

Enhancements

• [migrations] Allow table modifiers such as UNLOGGED tables
• [migrations] Add Safe Ecto Migration guides
• [mysql] Support insert_mode: :ignore
• [postgres] Set a default timezone on mix ecto.create
• [sandbox] Label the sandbox owner process
• [sql] Allow fragment tuple sources in adapters
• [sql] Allow pid repos in Ecto.Adapters.SQL.table_exists?
• [sql] Accept counter option in to_sql/4
• [sql] Support {:unsafe_fragment, ...} support to RETURNING clause

Commits

• 670f689 Release v3.14.0
• 1d906ce Fix warnings in 1.20 and require Elixir 1.15+ (#718)
• d533039 Add squashing migrations guide
• 697bcaf Merge table, update caveats and notes
• 7887f46 Remove dead code
• 8d80d5d Initial guide updates
• 1e5d0ef Rename docs environment
• 7ae4476 Update deps
• fb10152 Add Safe Ecto Migration guides (#720)
• 3954314 Mention max_lifetime option in disconnect_all
• Additional commits viewable in compare view

Updates finch from 0.21.0 to 0.22.0

Changelog

Sourced from finch's changelog.

v0.22.0 (2026-05-12)

Added

• Add a new :http2 configuration section with :wait_for_server_settings?, :ping_interval, :max_connection_age, and :max_connection_age_jitter support #354 #355 #364
• Add http+unix:// and https+unix:// URL scheme support for cleaner Unix socket pool configuration #351
• Add pool tagging support for connection pool isolation #342
• Add dynamic and user-managed pool APIs with Finch.start_pool/3, Finch.find_pool/2, and Finch.Pool.child_spec/1 #352
• Add Finch.is_request_ref/1 for matching async request refs in guards #350
• Add configurable pool worker selection strategies via :pool_strategy #359
• Add runtime pool resizing with Finch.get_pool_count/2 and Finch.set_pool_count/3 #362
• Add pid, max_concurrent_streams, and available_connections to pool metrics #362 #368
• Support {:stream, req_body_fun} request bodies in Finch.stream_while/5 on HTTP/1 #357 #360
• Encapsulate pool identity using a Finch.Pool struct #338
• Add Elixir 1.20 support #346

Changed

• Require Elixir v1.15 #358
• Refactor pool management to use per-pool supervisors and registry-backed tracking #344
• Pool metrics now return Finch.Pool.t() structs as keys and use ordered-set ETS tables for prefix lookups #342 #368
• Register only ready HTTP/2 connections, returning :pool_not_available when no connected pool is available #356
• Standardize error handling with Finch.error(), Finch.HTTPError, and Finch.TransportError #341
• Validate keyword options in Finch.build/5 and Finch.request/3 #365
• Use Mint 1.8 #341

Deprecated

• Deprecate {scheme, {:local, path}} tuple form in :pools, use URL strings (e.g. "http+unix:///path") instead #351

Removed

• Remove deprecated Finch.request/6 function, pool configuration options, and :max_idle_time_exceeded telemetry event #348

Fixed

• Do not exceed max failure count to stop overflows #343
• Clean up pool metrics when pools terminate or resize #362
• Prevent atom creation for non-existent Finch instances #342
• Make flaky CI assertions more reliable #340
• Prevent HTTP/1 pools from being considered idle immediately after fresh checkouts #372

Other

• Improve documentation around pool :count, :size, and strategies #361
• Document Finch.build/5 options #347
• CI: update the Elixir 1.20 release candidate to 1.20.0-rc.4

Commits

• See full diff in compare view

Updates jason from 1.4.4 to 1.4.5

Changelog

Sourced from jason's changelog.

1.4.5 (05.05.2026)

• Add support for Decimal 3.0

Commits

• 4ede428 Bump v1.4.5
• b8c2185 Fix dialyzer job
• a363975 Modernise CI to currently supported versions
• 243c8a8 Allow decimal 3.0
• c8e8d05 Revert the experimental 1.5 branch and jason_native experiment
• 0e7a3e2 Add example/doctest for Jason.OrderedObject.new/1
• 984bc07 fix broken link
• f775592 Raise if trying to decode decimals without decimal
• 79d59df Remove unneeded workarounds for xref warnings
• baac78e Fix warnings by conditionally compiling Decimal support
• Additional commits viewable in compare view

Updates phoenix from 1.8.5 to 1.8.8

Changelog

Sourced from phoenix's changelog.

1.8.8 (2026-06-10)

Enhancements

• [phx.new] Use LiveView 1.2.0

1.8.7 (2026-05-06)

Bug fixes

• Fix invalid status when longpoll request times out

Enhancements

• Mask token parameter in logs by default (in addition to "password")

JavaScript Client Bug Fixes

• Fix encoding of non-ASCII metadata in binary channel messages

1.8.6 (2026-05-05)

Security fixes

• CVE-2026-32689: Fix Phoenix.Socket Longpoll transport memory exhaustion in nd-JSON body splitting

Enhancements

• [phoenix] Raise if use Phoenix.VerifiedRoutes is called multiple times in the same module
• [phoenix] Fix more deprecation and type checker warnings on Elixir 1.20
• [phoenix] Raise when interpolating a list in Phoenix.VerifiedRoutes (#6632)
• [phoenix] Gracefully handle non-binary vsn socket parameter (#6662)
• [phx.gen.*] Use .eex filename suffix in generator files
• [phx.new] Add interactive mode: mix phx.new --interactive (#6630)
• [phx.new] Add phx-no-format to generated <.live_title> tag (#6667)

Bug fixes

• [phx.gen.*] Fix generated migrations for myxql when using scopes (#6635)
• [phx.new] Fix crash when parent directory contains a colon (#6633)

Commits

• 99df0a9 Release v1.8.8
• 729f781 Generator changes for LiveView 1.2 (#6696)
• d453e37 Use Elixir's builtin consolidation from v1.19, closes #4951
• f30fa36 Clarify channel payloads can be any serializable value (#6695)
• e1e7912 Replace all hexdocs URLs with the subdomain format (#6693)
• cf9dd26 Add README template for Phoenix umbrella (#6691)
• 39eb5dd Refactor template override backward compatibility test (#6684)
• e1c3816 chore: small typo fix in controllers.md (#6689)
• b6a4e31 Make websocket disconnect codes explicit (#6678)
• eea4895 Add eex suffix to phx.gen.auth template override test (#6680)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.28 to 1.2.1

Release notes

Sourced from phoenix_live_view's releases.

v1.2.1

Bug fixes

• Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#4291)

v1.2.0

Enhancements

• Support events pushed when connected mount redirects (#4269)

Bug fixes

• Ensure for comprehensions in HEEx use deterministic variables
• Ensure connect_params are kept when following redirects in LiveViewTest (#4005)
• Ensure exceptions during LiveComponent renders are emitted as :telemetry event (#4258)
• Fix whitespace handling of EEx nodes in HEEx compiler (#4277)

v1.2.0-rc.3

Enhancements

• Add official documentation for the JavaScript client
• Validate URL scheme in push_patch / push_navigate, JS.patch / JS.navigate, and clientside js().patch / js().navigate (#4250)

Bug fixes

• Fix nested assign change tracking (#4225)
• Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#4247)

v1.2.0-rc.2

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214)

v1.2.0-rc.1

Enhancements

• Align Phoenix.Component global attributes list with reference list from MDN (#4207). If you relied on one of the removed attributes, use the include option instead. For example:

  attr :rest, :global, include: ~w(width height)

• Allow setting id attributes clientside for accessibility with this.js().setAttribute() (#4146)
• Export getFileURLForUpload helper (#4206)
• Use moveBefore if available when reordering stream items (#4212)

Bug fixes

... (truncated)

Changelog

Sourced from phoenix_live_view's changelog.

v1.2.1 (2026-06-11)

Bug fixes

• Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#4291)

v1.2.0 (2026-06-10) 🚀

Enhancements

• Support events pushed when connected mount redirects (#4269)

Bug fixes

• Ensure for comprehensions in HEEx use deterministic variables
• Ensure connect_params are kept when following redirects in LiveViewTest (#4005)
• Ensure exceptions during LiveComponent renders are emitted as :telemetry event (#4258)
• Fix whitespace handling of EEx nodes in HEEx compiler (#4277)

v1.2.0-rc.3 (2026-05-29)

Enhancements

• Add official documentation for the JavaScript client
• Validate URL scheme in push_patch / push_navigate, JS.patch / JS.navigate, and clientside js().patch / js().navigate (#4250)

Bug fixes

• Fix nested assign change tracking (#4225)
• Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#4247)

v1.2.0-rc.2 (2026-05-05)

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214)

v1.2.0-rc.1 (2026-05-04)

Enhancements

• Align Phoenix.Component global attributes list with reference list from MDN (#4207). If you relied on one of the removed attributes, use the include option instead. For example:

  attr :rest, :global, include: ~w(width height)

• Allow setting id attributes clientside for accessibility with this.js().setAttribute() (#4146)
• Export getFileURLForUpload helper (#4206)
• Use moveBefore if available when reordering stream items (#4212)

Bug fixes

... (truncated)

Commits

• f0da401 Release v1.2.1
• 1a83ece Update assets
• e38e6fb When navigating, prevent outdated events from reaching the new view (#4291)
• 92c9d8d Improve security guide regarding user input (#4285)
• c543641 Use elixirc_options: [no_warn_undefined: ...] instead of xref: [exclude: ...]...
• 189f22a Replace internal docs references .html -> .md (#4286)
• cdfff45 Add security notes for mount, handle_params, and handle_event (#4284)
• f2759d3 Fix missing parenthesis in Security Model example (#4283)
• 923e859 Release v1.2.0
• 0f57334 ensure connect_params are kept when following redirects (#4249)
• Additional commits viewable in compare view

Updates postgrex from 0.22.0 to 0.22.2

Changelog

Sourced from postgrex's changelog.

v0.22.2 (2026-05-12)

• Security
  • Escape quotes in channel names in Postgrex.Notifications.listen/3 (CVE-2026-32687)

v0.22.1 (2026-03-05)

• Enhancements

  • Relax decimal requirement
  • Set process labels in Postgrex processes

• Bug fixes

  • Return proper error when getting tcp closed after fatal errors

Commits

• f1ffdb5 Release v0.22.2
• 7cdedbd Escape quotes, check null bytes, and name length for channel names
• f78f401 Release v0.22.1
• 03717e9 Add multirange to sidebar section
• 0f92ae3 Return proper error when getting tcp closed after fatal errors (#765)
• 3385a98 Set some process labels (#764)
• e4f7942 Simplify decode simple handling to avoid unused clauses
• df184a4 Release v0.22.0
• de38918 Add text query support (#761)
• b3e895a Support infinite intervals (#759)
• See full diff in compare view

Updates req from 0.5.17 to 0.6.1

Release notes

Sourced from req's releases.

v0.6.1

• compressed, decompress_body: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

• encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.1 (2026-06-08)

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

• [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

• [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

  Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

  Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

  # opt into archives (only for endpoints you trust):
  Req.get!(url, decoders: [:json, :zip])
  

  Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

  While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

  Custom decoders are supported via {format, codec} tuples, where codec is a module exporting decode/1 or a 1-arity function returning an :ok/:error tuple, for example:

... (truncated)

Commits

• 36a8252 Release v0.6.1
• ea5506f compressed, decompress_body: Disable automatic decompression
• 8e7425f Release v0.6.0
• 584a490 decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding
• 2d77dbe encode_body: Security fix for :form_multipart header injection
• 53c3b99 Release v0.5.18
• dc1f3be Update ex_doc
• dbd145c Update CHANGELOG.md
• 75f077e retry: Automatically retry on :pool_not_available
• 4cfbf54 run_finch: Normalize Finch.TransportError,HTTPError (Finch 0.22+) (#544)
• Additional commits viewable in compare view

Updates swoosh from 1.25.0 to 1.26.1

Release notes

Sourced from swoosh's releases.

v1.26.1 🚀

🐛 Bug Fixes

• fix fat-fingering content_id instead of cid, added tests, fixed outdated expected response in mua_test.exs @​waseigo (#1155)

🧰 Maintenance

• Prepare 1.26.1 patch release metadata @​copilot-swe-agent (#1156)

v1.26.0 🚀

✨ Features

• Added adapter for self-hosted Mailpit @​waseigo (#1152)

⛓️ Dependency

• Bump req from 0.5.17 to 0.5.18 @​dependabot (#1147)

New Contributors

• @​waseigo made their first contribution in swoosh/swoosh#1152

Full Changelog: swoosh/swoosh@1.25.3...v1.26.0

v1.25.3 🚀

• Prepare 1.25.3 patch release notes @​copilot-swe-agent (#1151)

📝 Documentation

• Document runtime Postmark server keys @​dl-alexandre (#1135)

🧰 Maintenance

• Fix Elixir 1.20 compilation warnings @​gilbertwong96 (#1150)
• Allow usage of idna 7.x @​sax (#1142)
• update to support hackney less than 5.0 @​allenwyma (#1132)

New Contributors

• @​dl-alexandre made their first contribution in swoosh/swoosh#1135
• @​allenwyma made their first contribution in swoosh/swoosh#1132
• @​sax made their first contribution in swoosh/swoosh#1142
• @​gilbertwong96 made their first contribution in swoosh/swoosh#1150

Full Changelog: swoosh/swoosh@v1.25.2...1.25.3

v1.25.2 🚀

• chore: prepare 1.25.2 patch release @​copilot-swe-agent (#1136)
• Fix release comment workflow repository checkout @​copilot-swe-agent (#1128)

🐛 Bug Fixes

... (truncated)

Changelog

Sourced from swoosh's changelog.

1.26.1

🐛 Bug Fixes

• Fix inline attachment cid handling for Mailpit adapter @​waseigo (#1155)

1.26.0

✨ Features

• Add self-hosted Mailpit adapter @​waseigo (#1152)

📝 Documentation

• Document the new Mailpit adapter in the README

1.25.3

📝 Documentation

• Document runtime Postmark server keys @​dl-alexandre (#1135)

🧰 Maintenance

• update to support hackney less than 5.0 @​allenwyma (#1132)
• Allow usage of idna 7.x @​sax (#1142)
• Fix Elixir 1.20 compilation warnings @​gilbertwong96 (#1150)

1.25.2

🐛 Bug Fixes

• fix(config): prioritize runtime config for Mailer @​ukashazia (#1134)

1.25.1

🐛 Bug Fixes

• Escape email content in mailbox preview UI @​mogest (#1124)
• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)

Commits

• 317f847 Prepare 1.26.1 patch release files (#1156)
• 38057ba fix fat-fingering content_id instead of cid, added tests, fixed outdated ...
• f0c7eaf Prepare 1.26.0 release files (#1153)
• 60532a2 Added adapter for self-hosted Mailpit (#1152)
• 1d6dec8 Bump req from 0.5.17 to 0.5.18 (#1147)
• 3580fe8 Prepare 1.25.3 patch release notes (#1151)
• 6f6f643 Fix Elixir 1.20 compilation warnings (#1150)
• 6f0d01c Bump ex_doc from 0.40.2 to 0.40.3 (#1148)
• 7b67e3e Bump bandit from 1.11.0 to 1.11.1 (#1146)
• 936c06c Bump cowboy from 2.14.2 to 2.15.0 (#1140)
• Additional commits viewable in compare view

Updates tailwind from 0.4.1 to 0.5.0

Changelog

Sourced from tailwind's changelog.

v0.5.0 (Unreleased)

• Allow configuring :version per profile
• Allow env values to be lists, joined by the OS path separator

Commits

• a4569fb Release v0.5.0
• a6e2d51 Merge pull request #139 from phoenixframework/sd-node-path
• bbc9d45 allow lists in env
• 27388df bump latest version
• c0cefa1 prepare 0.5.0
• ed088d9 Merge pull request #123 from RobinBoers/main
• 7a4b934 Apply suggestion from @​SteffenDE
• 170bb6c Update lib/tailwind.ex
• 28d1de0 Raise on boot when :path is set and one or more profiles configure :version
• 1dd71d8 Refactor configured_target/1 to be consistent with configured_version/1
• Additional commits viewable in compare view

Updates thousand_island from 1.4.3 to 1.5.0

Changelog

Sourced from thousand_island's changelog.

1.5.0 (1 Jun 2026)

Changes

• Not-strictly-breaking-but-still-important-change: We've improved the isolation between network-related timeouts and GenServer-related timeouts. Specifically, local GenServer callbacks (handle_info et al) no longer affect network-related timeouts; a 30s network timeout will be enforced after 30 seconds, regardless of how many local messages arrive in the process' mailbox. See #202 for more details.

Commits

• 6222305 Version bump to 1.5.0
• 8dc6f86 Add hex_publish CI step
• 68b2872 Separate out network timeout timer from GenServer message timer (#202)
• 969c3a5 Bump ex_doc from 0.40.2 to 0.40.3 (#203)
• a8c5371 Update security policy
• 4daa755 Bump telemetry from 1.4.1 to 1.4.2 (#201)
• d57860b Bump ex_doc from 0.40.1 to 0.40.2 (#200)
• 0f1c10f Bump machete from 0.3.11 to 0.3.12 (#199)
• 4689693 Bump credo from 1.7.17 to 1.7.18 (#198)
• b652f6c Update Handler moduledoc, add "the" (#197)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions