Add Dependabot configuration for automated security updates

[hman38705]

Labels: security, dependencies, good first issue
Priority: High

Description

There is no Dependabot configuration. Known CVEs in the 1000+ npm dependencies go undetected and unpatched until they are exploited or manually discovered.

Context

.github/ contains CI workflow files but no dependabot.yml. Dependabot can automatically create PRs for security updates. Both npm and GitHub Actions dependencies should be covered.

Suggested Implementation

Fork the repo and create a branch:

git checkout -b feat/dependabot-config

Create .github/dependabot.yml with:

version: 2
updates:
  - package-ecosystem: npm
    directory: /frontend
    schedule:
      interval: weekly
    open-pull-requests-limit: 10

  - package-ecosystem: npm
    directory: /services/tts
    schedule:
      interval: weekly
    open-pull-requests-limit: 10

  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 10

Acceptance Criteria

• .github/dependabot.yml exists and is valid YAML
• Covers npm in /frontend and /services/tts
• Covers GitHub Actions in /
• open-pull-requests-limit: 10 set to avoid PR flooding
• Dependabot enabled in repository settings after merging

Example commit: feat: add Dependabot configuration for automated security updates
PR description must include: Closes #120

---

[Emmyt24]

@Emmyt24 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi team, I'd like to work on this issue.
I'm a full-stack developer experienced in TypeScript, Rust, and smart contract development across EVM and Soroban/Stellar ecosystems. I've built and shipped production systems covering backend APIs, frontend interfaces (Next.js, React), CI/CD pipelines, and onchain protocols — so I'm comfortable working across whatever layer this issue touches.
My approach
I'll start by reproducing the issue locally and reading the surrounding code to understand context and constraints. I'll scope the fix tightly to avoid unnecessary churn, write or update tests to cover the change, and make sure linting, formatting, and existing CI checks all pass before opening a PR. If anything in the issue is ambiguous, I'll flag it early rather than guess.
What you can expect
A single clean PR with a clear description linking back to this issue. Minimal, well-tested changes that follow the project's existing conventions. Fast turnaround — I'm available to start immediately and responsive to review feedback.
Happy to discuss the approach further if needed. Looking forward to contributing.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Emmyt24 to this issue.

[drips-wave]

Congratulations, @Emmyt24! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @Emmyt24: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @Emmyt24 as part of the Stellar Wave Program's 5th Wave 🥳

😎 @Emmyt24: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.