Cargo.lock and package-lock.json are committed and CI runs cargo audit, cargo deny, and npm audit, but nothing opens update PRs, so dependency bumps are fully manual. We should add .github/dependabot.yml covering the Cargo workspace, the root, frontend, and circuits npm manifests, and GitHub Actions, grouped to reduce PR noise.
Acceptance criteria
- The Dependabot config covers all ecosystems in the repo.
- Updates are grouped and scheduled, and CI gates them.
Cargo.lockandpackage-lock.jsonare committed and CI runscargo audit,cargo deny, andnpm audit, but nothing opens update PRs, so dependency bumps are fully manual. We should add.github/dependabot.ymlcovering the Cargo workspace, the root, frontend, and circuits npm manifests, and GitHub Actions, grouped to reduce PR noise.Acceptance criteria