Add automated npm dependency updates + audit in CI

[tblivet]

Description:

Dependencies are getting outdated and show vulnerabilities when running npm audit. We should automate updates (Renovate/Dependabot) and add an audit step in CI that alerts or fails on high/critical issues.

Expected:

• Automated PRs for npm updates
• CI audit step detecting vulnerabilities
• Reduced dependency/security debt

[ga-devfront]

Why this approach is risky:

1. Supply Chain Risks (The "Poisoning" Factor) This is the biggest red flag. If you automate updates without strict human review, you're vulnerable. If a malicious actor hijacks a small dependency and releases a "v2.0.1" containing a backdoor, your automated system might pull it in, pass basic CI tests, and merge it. You end up shipping malware to your users.

2. Breaking the CI on "Ghost" Vulnerabilities Setting the CI to fail on npm audit is a double-edged sword. Often, security flags are raised for dev-dependencies (like a bug in a testing tool) that have zero impact on your production code. If your CI is "red" because of a minor dev-tool bug, you can’t merge critical fixes for your own project until that external dependency is patched. It creates unnecessary bottlenecks.

3. Maintenance Fatigue Open source is powered by volunteers. A bot spamming 20 Pull Requests a week for every minor patch version is exhausting. It leads to "click-merge" fatigue, where maintainers stop actually auditing the changes because there are just too many, which defeats the purpose of the security check in the first place.

[tswfi]

This is not a nice place to be either (current develop branch):

$ npm ci
npm WARN deprecated @types/minimatch@6.0.0: This is a stub types definition. minimatch provides its own type definitions, so you do not need this installed.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.

added 1338 packages, and audited 1339 packages in 17s

351 packages are looking for funding
  run `npm fund` for details

34 vulnerabilities (7 low, 14 moderate, 13 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.