docs: add dependency vulnerability status to README

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

README.md

@@ -229,6 +229,14 @@ server.broadcast({
 });
 ```
 
+## Security
+
+### Dependency Vulnerability Status
+
+We actively monitor and address security vulnerabilities in this codebase. **`npm audit --omit=dev` reports zero vulnerabilities** for this package — there are no known security issues in production dependencies.
+
+Any remaining `npm audit` findings are in development-only tooling (eslint, typescript-eslint, vitest, typedoc, etc.) and stem from transitive dependencies with no upstream fix available. These are devDependencies that are never included in the published package and pose no risk to consumers of this library. We monitor upstream fixes and update promptly when they become available.
+
 ## Contributing
 
 Contributions are welcome! Please read our [Contributing Guide](CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests.