From b2cdb408a468fcfd6a1a9abb01f603090c4d681b Mon Sep 17 00:00:00 2001
From: Daniel Alfaro <daniel.alfaro@mercadolibre.com.co>
Date: Wed, 27 May 2026 14:45:31 -0500
Subject: [PATCH 1/3] chore: add Dependabot version updates configuration

Add .github/dependabot.yml to enable proactive dependency updates.
Covers the main package ecosystem + github-actions, weekly on Mondays
at 09:00 America/Bogota, reviewer/assignee mercadopago/backend-sdks,
ignoring semver-major bumps (manual decision required).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 46 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..42c877c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,46 @@
+# Dependabot version updates — sdk-python
+# Ubicación obligatoria: .github/dependabot.yml
+# Ecosistemas: pip (Python) + github-actions
+version: 2
+
+updates:
+  # ── Python / pip ─────────────────────────────────────────────────────
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Bogota"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "mercadopago/backend-sdks"
+    assignees:
+      - "mercadopago/backend-sdks"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    # pip puede ejecutar código de setup.py durante el update — lo bloqueamos
+    insecure-external-code-execution: "deny"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # ── GitHub Actions (CI) ──────────────────────────────────────────────
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Bogota"
+    open-pull-requests-limit: 1
+    reviewers:
+      - "mercadopago/backend-sdks"
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "chore(ci)"

From 6b87f20deda1f9978902155ac61e53be062dded0 Mon Sep 17 00:00:00 2001
From: Daniel Alfaro <daniel.alfaro@mercadolibre.com.co>
Date: Wed, 27 May 2026 14:53:15 -0500
Subject: [PATCH 2/3] fix(dependabot): remove invalid reviewers field

reviewers is not a valid field in the dependabot.yml schema.
Only assignees is documented. Review requests should be configured
via CODEOWNERS instead.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 42c877c..0bea83a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,8 +13,6 @@ updates:
       time: "09:00"
       timezone: "America/Bogota"
     open-pull-requests-limit: 5
-    reviewers:
-      - "mercadopago/backend-sdks"
     assignees:
       - "mercadopago/backend-sdks"
     labels:
@@ -37,8 +35,6 @@ updates:
       time: "09:00"
       timezone: "America/Bogota"
     open-pull-requests-limit: 1
-    reviewers:
-      - "mercadopago/backend-sdks"
     labels:
       - "dependencies"
       - "ci"

From 0b6dcecc96e6e8204be878ad5c914b0f502867e4 Mon Sep 17 00:00:00 2001
From: Daniel Alfaro <daniel.alfaro@mercadolibre.com.co>
Date: Wed, 27 May 2026 15:04:38 -0500
Subject: [PATCH 3/3] ci: add dependency audit step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add vulnerability scan at the end of the CI job to close the
Dependabot loop: Dependabot opens PR → CI runs → audit confirms
the CVE is resolved before merge.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3d5e6fc..fa2de8b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,3 +44,9 @@ jobs:
         python -m unittest discover tests/
       env:
         ACCESS_TOKEN: ${{secrets.ACCESS_TOKEN}}
+
+    - name: Install pip-audit
+      run: pip install pip-audit
+
+    - name: Dependency audit
+      run: pip-audit