Add dependency vulnerability scanning to CI pipeline

[Copilot]

No vulnerability scanning existed in CI — npm audit, Snyk, and Dependabot auto-grouping were all absent, leaving 80+ dependencies (Web3, Capacitor, crypto libs) unscanned. Dependabot was on a monthly cadence with a cap of 5 PRs, leading to a growing backlog.

Changes

• test.yml — New security-audit job runs on every push:

  - name: Security audit
    run: npm audit --audit-level=high --omit=dev

  Scoped to production deps only; permissions: contents: read enforced.

• security-audit.yml — New standalone scheduled workflow running every Monday 08:00 UTC, also manually dispatchable. Workflow-level permissions: contents: read.

• dependabot.yml — Weekly schedule (was monthly), PR limit raised 5→10, patch and minor updates grouped to reduce noise while keeping major bumps as individual PRs for manual review.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature][High] Add dependency vulnerability scanning to CI pipeline</issue_title>
<issue_description>## Summary

The CI pipeline (.github/workflows/test.yml) runs lint and unit tests but does not include any dependency vulnerability scanning. With 80+ direct dependencies including security-sensitive packages (Web3, Capacitor plugins, crypto libraries), undetected vulnerable dependencies pose a significant supply chain risk.

Evidence

• .github/workflows/test.yml — only runs npm run lint and npm run test.ci
• No npm audit, Snyk, or Dependabot security scanning step found in any workflow
• 8 open Dependabot PRs (build(deps): bump @ngneat/transloco from 2.22.0 to 6.0.4 #3315-build(deps): bump webpack and @angular-devkit/build-angular #3323) have been open since February 2025 (over a year), suggesting no automated merge or review process for dependency updates
• Several major version bumps pending: zone.js (0.11→0.15), typescript (4.7→5.7), swiper (8→11)

Impact

• Vulnerable dependencies may ship to production undetected
• Stale Dependabot PRs accumulate, increasing the effort to catch up
• Major version dependency drift increases the risk of breaking changes when finally updated

Suggested Approach

1. Add npm audit --audit-level=high step to the test workflow:

- name: Security audit
  run: npm audit --audit-level=high --omit=dev

2. Configure Dependabot auto-merge for patch updates via .github/dependabot.yml
3. Consider adding a scheduled weekly security scan workflow
4. Prioritize reviewing the 8 pending Dependabot PRs, especially the major version bumps

Related

• Open Dependabot PRs: build(deps): bump @ngneat/transloco from 2.22.0 to 6.0.4 #3315, build(deps): bump @capacitor-community/bluetooth-le from 6.0.1 to 7.0.0 #3316, build(deps-dev): bump lint-staged from 11.1.2 to 15.4.3 #3317, build(deps): bump zone.js from 0.11.4 to 0.15.0 #3318, build(deps-dev): bump typescript from 4.7.4 to 5.7.3 #3319, build(deps): bump swiper from 8.4.7 to 11.2.2 #3320, build(deps-dev): bump stylelint-scss from 3.20.1 to 6.11.0 #3321, build(deps-dev): bump @types/node from 16.7.10 to 22.13.0 #3322, build(deps): bump webpack and @angular-devkit/build-angular #3323

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature][High] Add dependency vulnerability scanning to CI pipeline #3384

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.