fix(deps): resolve all 26 open Dependabot security alerts + enable automation

[MaanavD]

Resolves all 26 open Dependabot security alerts and adds ongoing automation.

Fixes

• electron bump ^34->^39.8.5 (15 CVEs in electron-chat-application)
• postcss override ^8.5.10, vite ^6.4.2, defu ^6.1.5, picomatch ^4.0.4 (sdk_legacy/js transitive deps)
• picomatch ^4.0.4, cookie ^0.7.0 (www transitive deps)
• @langchain/core pinned ^0.3.80 (langchain-integration-example)

Automation added

• .github/dependabot.yml\ — weekly version updates for npm, pip, NuGet, Cargo, GitHub Actions
• .github/workflows/dependabot-auto-merge.yml\ — auto-approve + auto-merge Dependabot patch/minor/security PRs after CI passes; major bumps require human merge

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
foundry-local	Ready	Preview, Comment	May 28, 2026 12:08am

[Copilot]

Pull request overview

This PR addresses a set of Dependabot-reported security alerts by updating vulnerable JavaScript dependencies (via direct bumps and npm overrides) and adds repository-level Dependabot automation (config + auto-merge workflow) to keep dependencies updated going forward.

Changes:

• Adds npm overrides and lockfile updates to remediate vulnerable transitive dependencies in www/ and sdk_legacy/js/.
• Pins/bumps sample app dependencies to resolve known advisories (Electron + LangChain core).
• Introduces .github/dependabot.yml plus a GitHub Actions workflow to auto-approve and enable auto-merge for eligible Dependabot PRs.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
www/package.json	Adds npm overrides for picomatch and cookie to address transitive vulnerabilities.
www/package-lock.json	Updates resolved versions for overridden vulnerable packages.
sdk_legacy/js/package.json	Adds npm overrides for vulnerable transitive deps (postcss, vite, defu, picomatch).
sdk_legacy/js/package-lock.json	Updates lockfile to reflect overridden/transitively updated packages.
samples/js/langchain-integration-example/package.json	Pins @langchain/core to a non-latest version to avoid vulnerable/unstable resolutions.
samples/js/electron-chat-application/package.json	Bumps Electron to a newer major release to address multiple CVEs.
.github/workflows/dependabot-auto-merge.yml	Adds automation to auto-approve and conditionally enable auto-merge for Dependabot PRs.
.github/dependabot.yml	Adds weekly Dependabot version update configuration across multiple ecosystems and directories.

Files not reviewed (2)

• sdk_legacy/js/package-lock.json: Language not supported
• www/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[MaanavD]

Checked: the latest @sveltejs/kit (v2.61.1, released today) still declares cookie: ^0.6.0, so there is no upstream version that natively requires ^0.7.x — upgrading @sveltejs/kit won't resolve the alert.

There is also no patched 0.6.x release; 0.6.0 is the last and only 0.6.x version, so pinning to a safe 0.6.x isn't possible either.

The override stays as ^0.7.0. The breaking change in cookie@0.7 is stricter validation of cookie names/paths/domains on creation (throws on out-of-bounds characters); SvelteKit only uses cookie for parsing request/response headers and for its cookies.set() API with well-formed cookie names, so the behavioral change doesn't apply here. This is the only viable path to close the Dependabot alert.

[MaanavD]

Re-triggering CI — foundry-local-core 1.2.0 should now be published.