dependabot-major-version-triage-rules-for-this-stack
For the R-Dash stack, safe dependabot merges are CI action patch bumps (actions/checkout, actions/upload-artifact). Risky deferred items: Python 3.13→3.14 (violates L2 stack pin), Node 22 LTS→25 non-LTS (non-LTS channel), echarts 5→6 (breaking chart-config API changes), eslint/typescript/vitest major bumps (will break config files). Triage rule: patch CI actions = auto-merge; runtime major bumps = human review required.