diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..0bea83a
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,42 @@
+# Dependabot version updates — sdk-python
+# Ubicación obligatoria: .github/dependabot.yml
+# Ecosistemas: pip (Python) + github-actions
+version: 2
+
+updates:
+  # ── Python / pip ─────────────────────────────────────────────────────
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Bogota"
+    open-pull-requests-limit: 5
+    assignees:
+      - "mercadopago/backend-sdks"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    # pip puede ejecutar código de setup.py durante el update — lo bloqueamos
+    insecure-external-code-execution: "deny"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # ── GitHub Actions (CI) ──────────────────────────────────────────────
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Bogota"
+    open-pull-requests-limit: 1
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "chore(ci)"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3d5e6fc..fa2de8b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,3 +44,9 @@ jobs:
         python -m unittest discover tests/
       env:
         ACCESS_TOKEN: ${{secrets.ACCESS_TOKEN}}
+
+    - name: Install pip-audit
+      run: pip install pip-audit
+
+    - name: Dependency audit
+      run: pip-audit