Add dependency vulnerability scanning and fix axios CVEs (#180)

- Add Security Audit workflow running npm audit on PRs, pushes, and
  weekly schedule; gates on high/critical vulns in production deps
- Add Dependabot config for npm and github-actions ecosystems
- Bump axios/socket.io-client/uuid to patched versions to clear the
  CVEs surfaced by the Wiz scan

Co-authored-by: Claude <noreply@anthropic.com>

Author: natansil

.github/dependabot.yml

@@ -0,0 +1,23 @@
+version: 2
+updates:
+  # Keep package.json dependencies patched. Combined with GitHub's
+  # Dependabot security updates (enabled in repo Settings > Security),
+  # this opens PRs for both routine version bumps and CVE fixes.
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      # Batch low-risk dev tooling updates into a single PR to cut noise.
+      dev-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Keep the GitHub Actions used by these workflows up to date.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/security-audit.yml

@@ -0,0 +1,44 @@
+name: Security Audit
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  # Run on a weekly schedule so newly-disclosed CVEs in existing
+  # dependencies are surfaced even when there are no code changes.
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+jobs:
+  audit:
+    name: npm audit (dependencies)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      # Gating check: fail the build on high/critical vulnerabilities in
+      # the production dependencies declared in package.json. These are the
+      # ones that ship to consumers of the SDK (and show up in their Wiz
+      # scans), so they get the strictest treatment.
+      - name: Audit production dependencies
+        run: npm audit --omit=dev --audit-level=high
+
+      # Informational: report the full picture (including dev/transitive
+      # dependencies) without failing the build.
+      - name: Audit all dependencies (report only)
+        if: always()
+        run: npm audit
+        continue-on-error: true