diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..4800cbc34e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,75 @@
+# Dependabot configuration
+# - Only security updates (version updates disabled via open-pull-requests-limit: 0)
+# - Dependencies grouped within each ecosystem/directory
+# - 3-day minimum release age for new versions (so they can't be unpublished in NPM)
+# - Labels: "dependencies" (default), language-specific (javascript/ruby/github-actions), "full-ci"
+#
+# Note: Root pnpm workspace (/) covers packages/react-on-rails, etc.
+# Dummy apps have separate lock files and are listed explicitly.
+
+version: 2
+
+updates:
+  # NPM/PNPM packages - root workspace and dummy apps
+  - package-ecosystem: "npm"
+    directories:
+      - "/"
+      - "/react_on_rails/spec/dummy"
+      - "/react_on_rails_pro/spec/dummy"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "javascript"
+      - "full-ci"
+    # Disable version update PRs - only security updates will be created
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # Ruby gems - Open source and Pro gems (including dummy apps)
+  # Root directory is not included because it reuses the Gemfile from react_on_rails
+  - package-ecosystem: "bundler"
+    directories:
+      - "/react_on_rails"
+      - "/react_on_rails/spec/dummy"
+      - "/react_on_rails_pro"
+      - "/react_on_rails_pro/spec/dummy"
+      - "/react_on_rails_pro/spec/execjs-compatible-dummy"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "ruby"
+      - "full-ci"
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      bundler-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+      - "full-ci"
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      actions-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
diff --git a/docs/MONOREPO_MERGER_PLAN.md b/docs/MONOREPO_MERGER_PLAN.md
index 75504e8875..9c25d7eac3 100644
--- a/docs/MONOREPO_MERGER_PLAN.md
+++ b/docs/MONOREPO_MERGER_PLAN.md
@@ -476,6 +476,9 @@ After the initial merge, the following CI adjustments may be needed:
 - [ ] Remove empty `react_on_rails_pro/` directory
 - [ ] Update all require paths in Ruby code
 - [ ] Update gemspec file paths and dependencies
+- [ ] **Update `.github/dependabot.yml`** to reflect final directory structure:
+  - Remove `/react_on_rails_pro` bundler entry (directory no longer exists)
+  - Update bundler directory from `/react_on_rails` to `/` (root now has both gemspecs)
 
 **License Compliance:**
 
@@ -741,6 +744,52 @@ license-compliance:
       run: ruby script/check-license-compliance.rb
 ```
 
+## Configuration Files
+
+When directories are moved or renamed during the merger, the following configuration files must be updated to reflect the new structure:
+
+| File                     | What to Update                                  |
+| ------------------------ | ----------------------------------------------- |
+| `.github/dependabot.yml` | `directory:` entries for bundler/npm ecosystems |
+| `.rubocop.yml`           | Exclusion patterns                              |
+| `eslint.config.ts`       | Ignore patterns                                 |
+| `.prettierignore`        | Ignored directories                             |
+| `knip.ts`                | Ignore patterns                                 |
+
+### Dependabot Configuration
+
+The `.github/dependabot.yml` file configures automated security updates. It must be kept in sync with the repository structure.
+
+**Current Configuration (Pre-Phase 6):**
+
+```yaml
+# Bundler entries
+- directory: '/react_on_rails' # Open source gem
+- directory: '/react_on_rails_pro' # Pro gem
+
+# NPM entries
+- directory: '/' # Root pnpm workspace
+- directory: '/spec/react_on_rails/dummy-for-generators' # Yarn-based generator dummy
+```
+
+**Final Configuration (Post-Phase 6):**
+
+```yaml
+# Bundler entries
+- directory: '/' # Root now contains both gemspecs
+
+# NPM entries (unchanged)
+- directory: '/'
+- directory: '/spec/react_on_rails/dummy-for-generators'
+```
+
+**When to Update dependabot.yml:**
+
+- When Gemfile locations change
+- When package.json files are added/moved/removed
+- When new workspaces are added
+- When directories containing lock files are restructured
+
 ## Risk Management
 
 ### High-Risk Phases