feat: enable Dependabot for automated dependency updates

- Add Dependabot configuration for npm and GitHub Actions
- Configure weekly update schedule with grouped minor/patch updates
- Set appropriate labels and commit message prefixes
- Add documentation of current dependency status and security vulnerabilities

This will help maintain up-to-date dependencies and address security vulnerabilities automatically. Currently there are 21 vulnerabilities (1 critical, 4 high, 11 moderate, 5 low) that need attention.

Author: keith-oak

.github/dependabot.yml

@@ -0,0 +1,65 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    open-pull-requests-limit: 10
+    # Group all minor and patch updates together
+    groups:
+      minor-and-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    # Allow security updates
+    allow:
+      - dependency-type: "all"
+    commit-message:
+      prefix: "fix"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "javascript"
+    reviewers:
+      - "azure/static-web-apps-cli-maintainers"
+    
+  # Enable version updates for npm in docs
+  - package-ecosystem: "npm"
+    directory: "/docs/www"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    open-pull-requests-limit: 5
+    groups:
+      docs-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    commit-message:
+      prefix: "chore(docs)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "documentation"
+      
+  # Enable security updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "github-actions"
+      - "ci"

DEPENDENCY_UPDATES.md

@@ -0,0 +1,89 @@
+# Dependency Updates Overview
+
+## Security Vulnerabilities Found (21 total)
+
+- 5 low severity
+- 11 moderate severity
+- 4 high severity
+- 1 critical severity
+
+### Critical Security Issues
+
+1. **vitest** (2.0.2 → 2.1.9+): Remote Code Execution vulnerability when accessing malicious websites while Vitest API server is listening
+
+### High Security Issues
+
+1. **cookie** (<0.7.0): Allows injection of unexpected key-value pairs (already addressed in separate PR #960)
+2. **cross-spawn**: Regular Expression Denial of Service (ReDoS)
+3. **tar-fs**: Link following and path traversal vulnerabilities
+4. **send/serve-static**: Template injection leading to XSS
+
+## Major Version Updates Available
+
+### Production Dependencies
+
+- **@azure/arm-appservice**: 15.0.0 → 17.0.0
+- **@azure/arm-resources**: 5.2.0 → 6.1.0
+- **@azure/msal-common**: 14.13.0 → 15.7.1
+- **chalk**: 4.1.2 → 5.4.1
+- **commander**: 9.5.0 → 14.0.0
+- **concurrently**: 7.6.0 → 9.2.0
+- **cookie**: 0.5.0 → 1.0.2 (security fix already in separate PR)
+- **finalhandler**: 1.2.0 → 2.1.0
+- **get-port**: 5.1.1 → 7.1.0
+- **internal-ip**: 6.2.0 → 8.0.0
+- **json-schema-library**: 9.3.5 → 10.1.2
+- **node-fetch**: 2.7.0 → 3.3.2
+- **open**: 8.4.2 → 10.1.2
+- **ora**: 5.4.1 → 8.2.0
+- **rimraf**: 5.0.7 → 6.0.1
+- **serve-static**: 1.15.0 → 2.2.0
+- **wait-on**: 7.2.0 → 8.0.3
+
+### Development Dependencies
+
+- **@semantic-release/commit-analyzer**: 11.1.0 → 13.0.1
+- **@semantic-release/release-notes-generator**: 12.1.0 → 14.0.3
+- **@types/node**: 18.19.39 → 24.0.4
+- **@types/update-notifier**: 5.1.0 → 6.0.8
+- **cypress**: 9.7.0 → 14.5.0 (major update with breaking changes)
+- **husky**: 4.3.8 → 9.1.7 (major update with breaking changes)
+- **lint-staged**: 12.5.0 → 16.1.2
+- **semantic-release**: 22.0.12 → 24.2.5
+- **supertest**: 6.3.4 → 7.1.1
+- **vitest**: 2.0.2 → 3.2.4
+
+## Recommendations
+
+1. **Immediate Actions**:
+   - Cookie vulnerability fix (PR #960 already submitted)
+   - Enable Dependabot (this PR) for automated security updates
+2. **Short-term Actions**:
+   - Update critical and high-severity vulnerabilities
+   - Review and test major version updates for breaking changes
+3. **Long-term Actions**:
+   - Gradually update major versions with proper testing
+   - Consider updating Node.js type definitions to match current Node.js version
+   - Migrate from deprecated packages (e.g., node-fetch v2 to v3 or native fetch)
+
+## Notes on Breaking Changes
+
+### Husky (4.x → 9.x)
+
+- Configuration format has changed significantly
+- Git hooks setup is now different
+- May require migration script
+
+### Cypress (9.x → 14.x)
+
+- Many API changes and deprecations
+- Component testing setup changed
+- Configuration format updated
+
+### Node-fetch (2.x → 3.x)
+
+- Now ESM-only module
+- Requires Node.js 12.20.0 or higher
+- Some API changes
+
+These major updates should be handled separately with thorough testing.