diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..f0ce8fc
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,31 @@
+version: 2
+
+updates:
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "php"
+      - "security"
+      - "dependencies"
+    groups:
+      php-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "build"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
index a17e92e..f37e91f 100644
--- a/.github/workflows/auto-assign.yml
+++ b/.github/workflows/auto-assign.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Assign issues and pull requests
         uses: gustavofreze/auto-assign@2.0.0
         with:
-          assignees: '${{ secrets.ASSIGNEES }}'
+          assignees: '${{ vars.ASSIGNEES }}'
           github_token: '${{ secrets.GITHUB_TOKEN }}'
           allow_self_assign: 'true'
           allow_no_assignees: 'true'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..4c6d7f7
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,35 @@
+name: Security checks
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ "actions" ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v4
diff --git a/.gitignore b/.gitignore
index 1cb9b22..42b841a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
 .idea
+
 vendor
 report
-.phpunit.cache
+.phpunit.*
 
-composer.lock
-.phpunit.result.cache
\ No newline at end of file
+*.lock
diff --git a/composer.json b/composer.json
index 512b038..356c0f8 100644
--- a/composer.json
+++ b/composer.json
@@ -42,12 +42,12 @@
     },
     "require": {
         "php": "^8.3",
-        "tiny-blocks/encoder": "^3"
+        "tiny-blocks/encoder": "^3.1"
     },
     "require-dev": {
         "phpmd/phpmd": "^2.15",
-        "phpunit/phpunit": "^11",
-        "phpstan/phpstan": "^1",
+        "phpunit/phpunit": "^11.5",
+        "phpstan/phpstan": "^1.12",
         "infection/infection": "^0.29",
         "squizlabs/php_codesniffer": "^3.11"
     },
@@ -60,7 +60,7 @@
         "phpmd": "phpmd ./src text phpmd.xml --suffixes php --ignore-violations-on-exit",
         "phpstan": "phpstan analyse -c phpstan.neon.dist --quiet --no-progress",
         "test-file": "phpunit --configuration phpunit.xml --no-coverage --filter",
-        "mutation-test": "infection --only-covered --threads=max --logger-html=report/coverage/mutation-report.html --coverage=report/coverage",
+        "mutation-test": "infection --threads=max --logger-html=report/coverage/mutation-report.html --coverage=report/coverage",
         "test-no-coverage": "phpunit --configuration phpunit.xml --no-coverage tests",
         "review": [
             "@phpcs",