diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..5f0e1874
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,36 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    versioning-strategy: increase
+    open-pull-requests-limit: 15
+    commit-message:
+      prefix: chore(deps)
+      prefix-development: chore(deps-dev)
+    labels:
+      - dependencies
+      - javascript
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    labels:
+      - dependencies
+      - github-actions
+
+  - package-ecosystem: gitsubmodule
+    directory: /
+    schedule:
+      interval: monthly
+    cooldown:
+      default-days: 7
+    labels:
+      - dependencies
+      - submodule
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
new file mode 100644
index 00000000..01818ee8
--- /dev/null
+++ b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,19 @@
+# Runs on pull requests (including from Dependabot) to flag vulnerable or blocked dependencies.
+# Requires Dependency graph / Dependency review availability for the repository.
+name: Dependency review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
diff --git a/.husky/pre-commit b/.husky/pre-commit
index 65808633..67388933 100755
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,6 +1,20 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# macOS GUI Git clients (e.g. SourceTree) often run hooks with a minimal PATH and no Homebrew.
+if [ "$(uname -s)" = "Darwin" ]; then
+  export PATH="/opt/homebrew/bin:/usr/local/bin:$PATH"
+fi
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd "$REPO_ROOT" || exit 1
+
+# bin/precommit.js requires dist/precommit.js; build once if missing (fresh clone / clean).
+if [ ! -f packages/monorepo-tools/dist/precommit.js ]; then
+  echo "husky: compiling @mongodb-js/monorepo-tools (dist missing)..."
+  npm run compile --workspace=@mongodb-js/monorepo-tools || exit 1
+fi
+
 # listings staged files only
 fileList=$(git diff --diff-filter=AM --cached --name-only)