[ci] group Dependabot updates into single PRs

[mellyeliu]

What

Adds .github/dependabot.yml so Dependabot bundles updates into one grouped PR per ecosystem instead of one PR per dependency.

• npm (root + packages/** + examples/**): all updates → a single npm-dependencies PR
• github-actions: all updates → a single github-actions PR

The repo currently has no Dependabot config, so security updates open one PR each (16 open right now). groups collapses those into a single PR. Grouping also applies to security updates when Grouped security updates is enabled in repo settings.

What this does NOT do — severity filtering ("critical only")

There is no dependabot.yml option to filter by severity, and no public API for it. To only get fixes for the most critical issues, a repo admin must add a Dependabot auto-triage rule:

1. Repo Settings → Code security → Dependabot → Auto-triage rules → New rule
2. Condition: severity is one of Low, Medium, High → action Dismiss (or "Snooze until patch")
3. Result: only Critical alerts stay open, so Dependabot only opens (grouped) security PRs for them.

And to group the existing security PRs (not just version updates):

• Settings → Code security → Dependabot → enable Grouped security updates.

(Current alert counts: 6 critical, 48 high, 43 medium, 3 low.)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stylex	Ready	Preview, Comment	Jun 16, 2026 6:33am

[Copilot]

Pull request overview

This PR adds a Dependabot configuration to reduce PR noise by grouping dependency updates so the repo gets one update PR per ecosystem (npm and GitHub Actions), aligning better with a monorepo workflow.

Changes:

• Introduces .github/dependabot.yml with grouped update rules for the npm ecosystem across the monorepo.
• Adds a grouped update rule for github-actions to consolidate workflow dependency updates.

[github-actions]

workflow: benchmarks/size

Comparison of minified (terser) and compressed (brotli) size results, measured in bytes. Smaller is better.
yarn workspace v1.22.22
yarn run v1.22.22
$ node ./compare.js /tmp/tmp.KO4IJnTDWD /tmp/tmp.ZcE3ZtOcoK

Results	Base	Patch	Ratio
@stylexjs/stylex/lib/cjs/stylex.js
· compressed	1,535	1,535	1.00
· minified	5,166	5,166	1.00
@stylexjs/stylex/lib/cjs/inject.js
· compressed	1,793	1,793	1.00
· minified	4,915	4,915	1.00
benchmarks/size/.build/bundle.js
· compressed	496,650	496,650	1.00
· minified	4,847,840	4,847,840	1.00
benchmarks/size/.build/stylex.css
· compressed	99,757	99,757	1.00
· minified	748,850	748,850	1.00
Done in 0.10s.
Done in 0.34s.

[github-actions]

workflow: benchmarks/perf

Comparison of performance test results, measured in operations per second. Larger is better.
yarn workspace v1.22.22
yarn run v1.22.22
$ node ./compare.js /tmp/tmp.QEoP7f8Oxn /tmp/tmp.VoofQL3mgO

Results	Base	Patch	Ratio
babel-plugin: stylex.create
· basic create	589	590	1.00	+
· complex create	65	65	1.00
babel-plugin: stylex.createTheme
· basic themes	469	458	0.98	-
· complex themes	32	32	1.00
Done in 0.09s.
Done in 0.38s.