feat: add target-indirect option

[toomuchdesign]

Feature Proposal

This PR adds a new target-indirect option, providing the ability to specify semver version for "indirect" dependency type PRs.

Motivation

Dependabot PRs come with a dependency-type metadata prop which can hold different values including indirect.

target-indirect option uses the same approach taken with existing target-xxx options to specifically target indirect dependency type.

Target option	handled dependency-type
target-development	direct:development
target-production	direct:production
target-indirect	indirect

Extra info

"direct:development" Dependabot PRs

Example: https://github.com/toomuchdesign/openapi-ts-json-schema/actions/runs/11336643952/job/31526898957

PR metadata

  outputs.dependency-names: @vitest/coverage-v8, vitest
  outputs.dependency-type: direct:development
  outputs.update-type: version-update:semver-patch
  outputs.directory: /
  outputs.package-ecosystem: npm_and_yarn
  outputs.target-branch: master
  outputs.previous-version: 
  outputs.new-version: 
  outputs.compatibility-score: 0
  outputs.maintainer-changes: false
  outputs.dependency-group: vitest
  outputs.alert-state: 
  outputs.ghsa-id: 
  outputs.cvss: 0

"direct:production" Dependabot PRs

Example: https://github.com/toomuchdesign/openapi-ts-json-schema/actions/runs/10207116362/job/28241301745

PR metadata

  outputs.dependency-names: @apidevtools/json-schema-ref-parser
  outputs.dependency-type: direct:production
  outputs.update-type: version-update:semver-minor
  outputs.directory: /
  outputs.package-ecosystem: npm_and_yarn
  outputs.target-branch: master
  outputs.previous-version: 11.6.4
  outputs.new-version: 11.7.0
  outputs.compatibility-score: 0
  outputs.maintainer-changes: false
  outputs.dependency-group: 
  outputs.alert-state: 
  outputs.ghsa-id: 
  outputs.cvss: 0

"indirect" Dependabot PRs

Example: https://github.com/toomuchdesign/openapi-ts-json-schema/actions/runs/11336687684/job/31527015545

PR metadata

 outputs.dependency-names: cookie, light-my-request
 outputs.dependency-type: indirect
 outputs.update-type: null
 outputs.directory: /
 outputs.package-ecosystem: npm_and_yarn
 outputs.target-branch: master
 outputs.previous-version: 
 outputs.new-version: 
 outputs.compatibility-score: 0
 outputs.maintainer-changes: true
 outputs.dependency-group: npm_and_yarn
 outputs.alert-state: 
 outputs.ghsa-id: 
 outputs.cvss: 0

Extra notes

This feature should be able to provide a solution the Dependabot issue causing indirect group PRs lacking update-type metadata. See: #659

A specific test was added to cover such use case.

I'm quite puzzled about the /dist folder output. Is it expected to be included in PRs?

It supports #644 for indirect dependency updates.

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[github-actions]

No linked issues found. Please add the corresponding issues in the pull request description.
Use GitHub automation to close the issue when a PR is merged

[simoneb]

LGTM. Yes, the dist folder is supposed to change because the action needs to be bundled to be used.