Expand Security guidance to cover supply chain issues

Our security best practice should mention modern supply chain tools. Please:

- [ ] Add references to Dependabot / npm audit / Composer audit equivalents.
- [ ] Note why these tools matter for open source maintainers.