Feat: Configure dependabot to maintain dependencies

[laywill]

Security Linters have shown a number of CVE vulnerabilities exist in the repo.

Having Dependabot configured to raise a weekly PR updating dependencies will help maintain security posture.
This should be combined with regular security scanning via enabling linters and SAST scanning (PR incoming).

Changes

• Dependabot configured to maintain dependencies weekly
• PRs grouped by Dev / Prod
• PRs grouped by language / toolchain / platform
• CODEOWNERS configured to automatically assign PRs raised by Dependabot to deliver dependency updates

Example security scans justifying need to update security regularly

GRYPE result

Results of grype linter (version 0.104.1)
-----------------------------------------------

❌ [ERROR] for workspace /
Linter raw log:
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME     INSTALLED  FIXED IN  TYPE        VULNERABILITY        SEVERITY  EPSS           RISK   
github   9.17.0     20120304  dart-pub    CVE-2012-2055        High      1.1% (77th)    0.7    
Flutter  1.0.0      3.3.3     pod         CVE-2022-3095        Critical  0.1% (28th)    < 0.1  
rsa      0.9.8      0.9.10    rust-crate  GHSA-9c48-w39g-hm26  Low       < 0.1% (18th)  < 0.1  
openssl  0.10.71    0.10.72   rust-crate  GHSA-4fcv-w3qc-ppgg  Medium    N/A            N/A    
git2     0.20.2     0.20.4    rust-crate  GHSA-j39j-6gw9-jw6h  Low       N/A            N/A    
tokio    1.44.1     1.44.2    rust-crate  GHSA-rr8g-9fpq-6wmg  Low       N/A            N/A
[0060] ERROR discovered vulnerabilities at or above the severity threshold

Trivy Result

Results of trivy linter (version 0.67.2)
-----------------------------------------------

❌ [ERROR] for workspace /example/folder
Linter raw log:
2026-02-13T12:49:51Z	INFO	[vulndb] Need to update DB
2026-02-13T12:49:51Z	INFO	[vulndb] Downloading vulnerability DB...
2026-02-13T12:49:51Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
3.22 MiB / 85.24 MiB [-->____________________________________________________________] 3.78% ? p/s ?6.91
...
...
2026-02-13T12:50:00Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-02-13T12:50:00Z	INFO	[vuln] Vulnerability scanning is enabled
2026-02-13T12:50:00Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-02-13T12:50:00Z	INFO	[misconfig] Need to update the checks bundle
2026-02-13T12:50:00Z	INFO	[misconfig] Downloading the checks bundle...
165.46 KiB / 165.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms
2026-02-13T12:50:16Z	INFO	Number of language-specific files	num=5
2026-02-13T12:50:16Z	INFO	[cargo] Detecting vulnerabilities...
2026-02-13T12:50:16Z	INFO	[cocoapods] Detecting vulnerabilities...
2026-02-13T12:50:16Z	INFO	[pub] Detecting vulnerabilities...
2026-02-13T12:50:16Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────────────────────────────────┬───────────┬─────────────────┬───────────────────┐
│                    Target                     │   Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ .maestro/Cargo.lock                           │   cargo   │        0        │         -         │
├───────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ ios/Podfile.lock                              │ cocoapods │        0        │         -         │
├───────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ pubspec.lock                                  │    pub    │        0        │         -         │
├───────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ rust/Cargo.lock                               │   cargo   │        4        │         -         │
├───────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ rust_builder/cargokit/build_tool/pubspec.lock │    pub    │        0        │         -         │
└───────────────────────────────────────────────┴───────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


rust/Cargo.lock (cargo)
=======================
Total: 4 (UNKNOWN: 0, LOW: 3, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                            Title                             │
├─────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ git2    │ GHSA-j39j-6gw9-jw6h │ LOW      │ fixed  │ 0.20.2            │ 0.20.4                 │ git2 has potential undefined behavior when dereferencing Buf │
│         │                     │          │        │                   │                        │ struct                                                       │
│         │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-j39j-6gw9-jw6h            │
├─────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl │ GHSA-4fcv-w3qc-ppgg │ MEDIUM   │        │ 0.10.71           │ 0.10.72                │ rust-openssl Use-After-Free in `Md::fetch` and               │
│         │                     │          │        │                   │                        │ `Cipher::fetch`                                              │
│         │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-4fcv-w3qc-ppgg            │
├─────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ rsa     │ CVE-2026-21895      │ LOW      │        │ 0.9.8             │ 0.9.10                 │ RSA: RSA crate: Denial of Service due to malformed prime in  │
│         │                     │          │        │                   │                        │ private...                                                   │
│         │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2026-21895                   │
├─────────┼─────────────────────┤          │        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ tokio   │ GHSA-rr8g-9fpq-6wmg │          │        │ 1.44.1            │ 1.44.2, 1.38.2, 1.43.1 │ Tokio broadcast channel calls clone in parallel, but does    │
│         │                     │          │        │                   │                        │ not require `Sync`...                                        │
│         │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-rr8g-9fpq-6wmg            │
└─────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘