chore: add auto-update workflow for dependencies

Author: stephanebouget

.github/workflows/auto-update.yml

@@ -3,7 +3,7 @@ name: Auto-update dependencies
 on:
   schedule:
     # Every day at 02:00 UTC
-    - cron: '0 2 * * *'
+    - cron: "0 2 * * *"
   workflow_dispatch:
 
 permissions:
@@ -18,31 +18,41 @@ jobs:
       - name: Check out Git repository
         uses: actions/checkout@v4
 
-      - name: Install Node.js and Yarn
+      - name: Install Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 22
 
-      - name: yarn install
-        run: yarn install
+      - name: Install dependencies
+        run: npm ci
 
       - name: Update dependencies
         run: |
           npm install -g npm-check-updates
+
+          # Update to latest minor+patch (non-breaking)
           ncu -u --target minor
-          yarn install
+
+          # Also apply patch-only updates for packages already at their major
+          ncu -u --target patch
+
+          # Actually upgrade all resolutions in package-lock.json
+          npm install
+
+          # Deduplicate lockfile to remove old vulnerable transitive deps
+          npm dedupe
 
       - name: Create Pull Request
         id: create-pr
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.PAT_TOKEN }}
-          commit-message: 'chore: update dependencies'
-          title: 'chore: update dependencies'
+          commit-message: "chore: update dependencies"
+          title: "chore: update dependencies"
           body: |
             Automated dependency update.
 
-            This PR updates all dependencies in `package.json` and `yarn.lock`.
+            This PR updates all dependencies in `package.json` and `package-lock.json`.
 
             Please review and merge if all checks pass.
           branch: chore/update-dependencies