From 5acd1d489dd9440185ed1e26df6135d7d3aa9afa Mon Sep 17 00:00:00 2001
From: thePR0M3TH3AN <53631862+PR0M3TH3AN@users.noreply.github.com>
Date: Sun, 3 Aug 2025 08:32:57 -0400
Subject: [PATCH] chore: add dependency auditing

---
 .github/dependabot.yml                 | 10 ++++++++++
 .github/workflows/dependency-audit.yml | 25 +++++++++++++++++++++++++
 README.md                              | 20 ++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/dependency-audit.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..645c171
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml
new file mode 100644
index 0000000..3729f6b
--- /dev/null
+++ b/.github/workflows/dependency-audit.yml
@@ -0,0 +1,25 @@
+name: Dependency Audit
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r src/requirements.txt
+          pip install pip-audit
+      - name: Run pip-audit
+        run: pip-audit -r requirements.lock --ignore-vuln GHSA-wj6h-64fc-37mp
diff --git a/README.md b/README.md
index 41733a5..8fefecb 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ SeedPass now uses the `portalocker` library for cross-platform file locking. No
 - [Building a standalone executable](#building-a-standalone-executable)
 - [Packaging with Briefcase](#packaging-with-briefcase)
 - [Security Considerations](#security-considerations)
+- [Dependency Updates](#dependency-updates)
 - [Contributing](#contributing)
 - [License](#license)
 - [Contact](#contact)
@@ -743,6 +744,25 @@ For local testing, Uvicorn can run with TLS directly:
 uvicorn seedpass.api:app --ssl-certfile=cert.pem --ssl-keyfile=key.pem
 ```
 
+## Dependency Updates
+
+Automated dependency updates are handled by [Dependabot](https://docs.github.com/en/code-security/dependabot).
+Every week, Dependabot checks Python packages and GitHub Actions used by this repository and opens pull requests when updates are available.
+
+To review and merge these updates:
+
+1. Review the changelog and release notes in the Dependabot pull request.
+2. Run the test suite locally:
+   ```bash
+   python3 -m venv venv
+   source venv/bin/activate
+   pip install -r src/requirements.txt
+   pytest
+   ```
+3. Merge the pull request once all checks pass.
+
+A scheduled **Dependency Audit** workflow also runs [`pip-audit`](https://github.com/pypa/pip-audit) weekly to detect vulnerable packages. Address any reported issues promptly to keep dependencies secure.
+
 ## Contributing
 
 Contributions are welcome! If you have suggestions for improvements, bug fixes, or new features, please follow these steps: