chore(security): add dependabot config + close 14 open advisories

[rohitg00]

Summary

• Adds .github/dependabot.yml (didn't exist before) covering all 5 npm manifests + github-actions, weekly cadence, grouped minor/patch.
• Bumps next in website/ from ^16.2.4 → ^16.2.6 to close 13 open advisories spanning middleware/proxy bypass, SSRF on WebSocket upgrades, DoS via connection exhaustion, CSP-nonce XSS, image-opt DoS, RSC cache poisoning, beforeInteractive XSS, and segment-prefetch routes.
• Pins postcss to ^8.5.10 (resolves to 8.5.14) via overrides in website/package.json to close the XSS-via-unescaped-</style> advisory. postcss is transitive, so the override is the cleanest forced floor.

Closes

Closes the 14 open Dependabot alerts on default branch:

• alerts feat: v0.2.0 -- 12 hooks, MCP tools, skills, pattern detection #2 – Race condition: non-atomic read-modify-write on session.observationCount #14 (next 16.x family — 13 advisories patched at 16.2.5 / 16.2.6)
• alert fix: system audit -- 10 bugs fixed across hooks, triggers, and core #1 (postcss XSS — patched at 8.5.10)

Dependabot scope

Ecosystem	Path	Cadence	Notes
npm	/	weekly	grouped minor/patch
npm	/website	weekly	grouped minor/patch
npm	/integrations/openclaw	weekly
npm	/integrations/pi	weekly
npm	/integrations/filesystem-watcher	weekly
github-actions	/	weekly	grouped minor/patch

Verification

• npm audit --omit=dev in website/ → 0 vulnerabilities.
• npm run build in website/ clean on Next 16.2.6 (Turbopack, 5 static pages generated).
• TypeScript pass clean.

Test plan

• CI green on the PR
• After merge, GitHub Security tab shows 0 open Dependabot alerts
• Dependabot starts running weekly on Monday 06:00 UTC against all 6 update streams

Summary by CodeRabbit

Chores

• Updated Next.js framework to version 16.2.6
• Configured automated weekly dependency update checks for npm packages and GitHub Actions workflows with customizable pull request limits, labels, and custom commit message prefixes across the repository root, website directory, and integration subdirectories
• Applied PostCSS version pinning

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agentmemory	Ready	Preview, Comment	May 13, 2026 7:12pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds automated dependency management to the repository by introducing a Dependabot configuration that schedules weekly updates for npm packages across the root, website, and integration directories, plus GitHub Actions, with concrete version updates to the website's Next.js and postcss dependencies.

Changes

Dependency Automation Setup

Layer / File(s)	Summary
Dependabot npm targets .github/dependabot.yml	Weekly npm dependency updates are scheduled for the repository root, /website, and three integration subdirectories (/integrations/openclaw, /integrations/pi, /integrations/filesystem-watcher), each configured with PR limits, labels, grouped minor/patch updates, and deps(...) commit-message prefixes.
GitHub Actions automation .github/dependabot.yml	Weekly GitHub Actions updates are enabled for the repository root with PR limits, labels, a ci(deps) commit-message prefix, and grouped minor/patch update types.
Website package dependencies website/package.json	The next dependency is updated to ^16.2.6, and a new overrides section pins postcss to ^8.5.10.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Automation hops along the way,
Dependencies update every Monday!
Root, website, actions aligned,
Postcss pinned, no conflicts to find.
Dependabot brings order and peace! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the primary changes: adding Dependabot configuration and resolving security advisories through dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-config-and-security-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

44-90: ⚡ Quick win

Consider grouping minor/patch updates for integration directories.

The three integration configurations (openclaw, pi, filesystem-watcher) lack the groups section that is present in the root, website, and github-actions configurations. This inconsistency means minor and patch updates will create separate PRs for integrations instead of being grouped together, potentially increasing PR volume.

For consistency and to reduce PR noise, consider adding the same grouping strategy:

📦 Proposed addition of groups to integration configs

For each integration block (openclaw, pi, filesystem-watcher), add after the commit-message section:

     commit-message:
       prefix: deps(openclaw)
       include: scope
+    groups:
+      minor-and-patch:
+        update-types:
+          - minor
+          - patch

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 44 - 90, The three Dependabot npm
entries for the integration directories (package-ecosystem: npm, directory:
/integrations/openclaw, /integrations/pi, /integrations/filesystem-watcher) are
missing a groups section; add the same grouping strategy used elsewhere so
minor/patch updates are consolidated (e.g., add a groups entry after
commit-message that groups "all-minor-patch" for type: dependency and
update-types: [version-update:semver-minor, version-update:semver-patch] and any
required patterns), ensuring each integration block uses identical group names
and rules to match the root/website/github-actions configs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/dependabot.yml:
- Around line 44-90: The three Dependabot npm entries for the integration
directories (package-ecosystem: npm, directory: /integrations/openclaw,
/integrations/pi, /integrations/filesystem-watcher) are missing a groups
section; add the same grouping strategy used elsewhere so minor/patch updates
are consolidated (e.g., add a groups entry after commit-message that groups
"all-minor-patch" for type: dependency and update-types:
[version-update:semver-minor, version-update:semver-patch] and any required
patterns), ensuring each integration block uses identical group names and rules
to match the root/website/github-actions configs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb57d519-713b-417c-8536-b3b204aadca4

📥 Commits

Reviewing files that changed from the base of the PR and between 87fae50 and 5b4a341.

⛔ Files ignored due to path filters (1)

• website/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/dependabot.yml
• website/package.json