diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5c00164
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,25 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    # Collapse the weekly minor/patch churn into a single rolling PR
+    # instead of one PR per package.
+    groups:
+      npm-minor-patch:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+    # Supply-chain delay: don't propose an update until the new version
+    # has been published for at least 3 days. Mitigates auto-merging a
+    # freshly-published malicious release.
+    cooldown:
+      semver-minor-days: 3
+      semver-patch-days: 3
+    # Majors always require a human; never auto-bumped or auto-merged.
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
new file mode 100644
index 0000000..93a6a38
--- /dev/null
+++ b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,35 @@
+name: Dependabot auto-merge
+
+# Auto-enable GitHub auto-merge ("--auto") for Dependabot patch/minor PRs.
+# The PR still only merges once branch protection's required checks
+# (the "Test & Coverage" job) pass. Gated to the trusted dependabot[bot] actor
+# AND author; on: pull_request (not pull_request_target); never runs or
+# trusts third-party PR code.
+on: pull_request
+
+concurrency:
+  group: dependabot-automerge-${{ github.event.pull_request.number }}
+  cancel-in-progress: false
+
+jobs:
+  dependabot:
+    name: Auto-merge Dependabot patch/minor PRs
+    runs-on: ubuntu-latest
+    # Verify both the triggering actor and the PR author to avoid actor spoofing.
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge for patch and minor updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}