On the repository insights page it is shown that Dependabot version updates are not configured yet.

Dependabot helps keep dependencies up to date by automatically creating pull requests for version updates. Without it, outdated dependencies can accumulate unnoticed, increasing
• security risks
• maintenance overhead
• effort required for larger update jumps later

Given that visdom is an active project, automated dependency management should be enabled.

Expected behaviour

• Dependabot is configured for the repository
• Regular dependency update PRs are created automatically
• Updates are scoped, reviewable, and follow best practices

Proposed solution

• Add a .github/dependabot.yml configuration file
• Enable Dependabot for relevant package ecosystems, for example
• npm or yarn, if applicable
• pip or poetry, if applicable
• GitHub Actions
• Define a reasonable update schedule, e.g. weekly
• Group related dependency updates where it makes sense

Scope

• Repository configuration only
• No functional code changes
• CI and existing workflows should remain unaffected

Acceptance criteria

• Dependabot is enabled and active for the repository
• Dependency update PRs are created automatically
• Configuration follows project standards and is easy to maintain
• No false positives or excessive noise from update PRs

Notes

This is a maintenance and security improvement. Enabling Dependabot early helps keep the dependency stack healthy and reduces long term technical debt.