chore: contributor onboarding (templates, dependabot, README security note)

- .github/ISSUE_TEMPLATE/bug_report.md — requires plugin version,
  jQuery version, full options object, repro steps. Aims to prevent
  the "vague report, ghost reporter" pattern (#862) by forcing the
  info the maintainer otherwise has to ask for after the fact.
- .github/ISSUE_TEMPLATE/feature_request.md — sketches API proposal,
  alternatives considered, prior art.
- .github/ISSUE_TEMPLATE/config.yml — disables blank issues; routes
  security reports to Private Vulnerability Reporting.
- .github/PULL_REQUEST_TEMPLATE.md — Summary / Test plan / Breaking
  changes checklist; references the local CI commands.
- .github/dependabot.yml — weekly grouped dev-dep PR
  (`chore(deps): ...`) and a separate GitHub Actions update channel
  (`ci(deps): ...`). Open-PR caps at 5/3.
- readme.md — new "Security" section signposting SECURITY.md and the
  Private Vulnerability Reporting form. Previously these existed but
  nothing in the README pointed at them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tkirda-bison

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,53 @@
+---
+name: Bug report
+about: A reproducible bug in the plugin
+title: ""
+labels: bug
+---
+
+<!--
+  Bug reports without a minimal reproduction are very hard to act on and
+  will usually be closed asking for more info. Please fill in every section.
+-->
+
+## What happened
+
+<!-- One or two sentences describing the actual behavior you observed. -->
+
+## What you expected to happen
+
+<!-- One or two sentences describing what should have happened instead. -->
+
+## Versions
+
+- `devbridge-autocomplete`:
+- `jquery`:
+- Browser + OS:
+
+## Autocomplete options
+
+<!--
+  Paste the FULL options object you pass to `.autocomplete(...)` or
+  `.devbridgeAutocomplete(...)`. Replace any secrets (URLs, API keys)
+  with placeholders.
+-->
+
+```js
+$('#example').devbridgeAutocomplete({
+    // ...
+});
+```
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Minimal reproduction
+
+<!--
+  Strongly preferred: a CodePen / JSFiddle / GitHub repo with the smallest
+  possible setup that demonstrates the bug. Without one, the maintainer
+  has to guess at your DOM, your callbacks, and your data shape.
+-->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/devbridge/jQuery-Autocomplete/security/advisories/new
+    about: Please report vulnerabilities privately via GitHub Security Advisories, not as a public issue.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Propose a new option, callback, or behavior
+title: ""
+labels: enhancement
+---
+
+## The problem
+
+<!-- What can't you do today, or what's awkward? Concrete use case preferred. -->
+
+## Proposed API
+
+<!--
+  Sketch the option name, callback signature, or method you'd want.
+  Match the style of existing options in the readme's tables.
+-->
+
+```js
+$('#example').devbridgeAutocomplete({
+    yourNewOption: ...,
+});
+```
+
+## Alternatives considered
+
+<!-- Have you worked around it with existing options or formatResult/transformResult/lookupFilter? -->
+
+## Additional context
+
+<!-- Links to similar features in other libraries, references, etc. -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,27 @@
+<!--
+  Thanks for the PR! A short note on each section keeps reviews fast.
+  Delete sections that don't apply.
+-->
+
+## Summary
+
+<!-- What does this change and why? One paragraph. Reference any related issue with "Closes #123". -->
+
+## Test plan
+
+<!--
+  How did you verify this works?
+  - For bug fixes: did you add a regression test?
+  - For new options: are there specs covering the happy path + at least one edge case?
+  - For docs/build changes: how did you smoke-test?
+-->
+
+- [ ] `npm test` passes locally
+- [ ] `npm run lint && npm run format:check && npm run typecheck && npm run build` all green
+- [ ] If this changes a documented API, `readme.md` is updated to match
+
+## Breaking changes
+
+<!-- Anything that requires a major-version bump? Type-system narrowing, removed options, changed defaults, etc. -->
+
+None / List them here.

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  # Dev-dependencies: weekly grouped PR. Production has only `jquery` as a
+  # peer dep (and no runtime deps); production updates are handled per release.
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+    open-pull-requests-limit: 5
+    groups:
+      dev-dependencies:
+        dependency-type: development
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: "chore(deps)"
+
+  # GitHub Actions used in workflows (CodeQL, CI, release). Pin updates so we
+  # don't drift behind a security-relevant action.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "ci(deps)"

readme.md

@@ -280,6 +280,14 @@ the alias:
 $('.autocomplete').devbridgeAutocomplete({ ... });
 ```
 
+## Security
+
+To report a vulnerability, **please do not open a public GitHub issue.**
+Use GitHub's [Private Vulnerability Reporting](https://github.com/devbridge/jQuery-Autocomplete/security/advisories/new)
+form on this repository — it routes the report directly to the
+maintainers. Full policy and supported-version table:
+[SECURITY.md](https://github.com/devbridge/jQuery-Autocomplete/blob/master/SECURITY.md).
+
 ## License
 
 Ajax Autocomplete for jQuery is freely distributable under the terms of an