NHSDigital · anthony-nhs · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.gitallowed b/.gitallowed
@@ -7,3 +7,4 @@ self\.token = token
 token = os\.environ\.get\(\"GH_TOKEN\"\)
 poetry\.lock
 \-Dsonar\.token=\"\$SONAR_TOKEN\"
+token: "\${{ steps\.generate-token\.outputs\.token }}"
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -14,28 +14,28 @@ updates:
       prefix: "Upgrade: [dependabot] - "
 
   ###################################
-  # NPM workspace  ##################
+  # Poetry  #########################
   ###################################
-  - package-ecosystem: "npm"
+  - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "thursday"
-      time: "18:00" # UTC
+      time: "20:00" # UTC
     open-pull-requests-limit: 20
     versioning-strategy: increase
     commit-message:
       prefix: "Upgrade: [dependabot] - "
 
   ###################################
-  # Poetry  #########################
+  # NPM workspace  ##################
   ###################################
-  - package-ecosystem: "pip"
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "thursday"
-      time: "18:00" # UTC
+      time: "22:00" # UTC
     open-pull-requests-limit: 20
     versioning-strategy: increase
     commit-message:

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -22,3 +22,6 @@ vulnerabilities:
   - id: CVE-2026-29786
     statement: tar vulnerability accepted as risk - dependency of npm (multiple)
     expired_at: 2026-06-01
+  - id: CVE-2026-31802
+    statement: tar vulnerability accepted as risk - dependency of npm (multiple)
+    expired_at: 2026-06-01