feat: enable Dependabot for automated dependency updates

[keith-oak]

Summary

• Enables Dependabot for automated dependency updates
• Adds comprehensive documentation of current dependency status
• Identifies 21 security vulnerabilities that need attention
• Partially addresses #891

Details

This PR adds Dependabot configuration to help maintain up-to-date dependencies and automatically address security vulnerabilities. Currently, the project has:

• 21 security vulnerabilities (1 critical, 4 high, 11 moderate, 5 low)
• 45+ outdated packages with available updates
• No automated dependency management

Changes Made

1. Added .github/dependabot.yml

• Configured weekly update schedule (Mondays at 5 AM)
• Groups minor and patch updates to reduce PR noise
• Separate configurations for:
  • Main npm dependencies
  • Documentation site dependencies
  • GitHub Actions
• Appropriate labels and commit message prefixes
• Review assignment to maintainers team

2. Added DEPENDENCY_UPDATES.md

• Complete audit of current security vulnerabilities
• List of major version updates available
• Recommendations for addressing issues
• Notes on breaking changes for major updates

Benefits

1. Automated Security Updates: Dependabot will automatically create PRs for security vulnerabilities
2. Reduced Manual Work: No need to manually check for updates
3. Better Security Posture: Timely updates reduce exposure to known vulnerabilities
4. Grouped Updates: Minor and patch updates are grouped to minimize PR noise

Related Issues

• Partially addresses #891 (Multiple dependencies out of date causing issues in downstream packages)
• Works alongside PR #960 (cookie vulnerability fix)

Next Steps

Once this is merged, Dependabot will:

1. Start creating PRs for security updates immediately
2. Create grouped PRs for minor/patch updates weekly
3. Help identify which major version updates are safe to apply

The DEPENDENCY_UPDATES.md file provides a roadmap for addressing the more complex major version updates that require manual testing.