[Infra] Supply-chain hardening (cargo audit / cargo deny + Dependabot)

## Problem
There is no automated scanning for known-vulnerable dependencies in either the cargo or npm trees,
and no automated dependency updates.

## What needs to be done
- [ ] Add `cargo audit` (RustSec advisory DB) as a CI step; fail on vulnerabilities
- [ ] Add `cargo deny` with a `deny.toml` covering advisories, licenses, and duplicate/banned crates
- [ ] Add `.github/dependabot.yml` for `cargo`, `npm` (root + `backend/`), and `github-actions`
- [ ] Triage and resolve the first batch of findings

## Acceptance criteria
- [ ] CI fails on a known-vulnerable dependency
- [ ] `deny.toml` committed and passing
- [ ] Dependabot opens update PRs

## Relevant files
`.github/workflows/node.yml`, new `deny.toml`, new `.github/dependabot.yml`, `Cargo.lock`, `package-lock.json`, `backend/package-lock.json`

## References
- https://github.com/rustsec/rustsec  ·  https://embarkstudios.github.io/cargo-deny/


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Infra] Supply-chain hardening (cargo audit / cargo deny + Dependabot) #31

Problem

What needs to be done

Acceptance criteria

Relevant files

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

[Infra] Supply-chain hardening (cargo audit / cargo deny + Dependabot) #31

Description

Problem

What needs to be done

Acceptance criteria

Relevant files

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions