Add Renovate 'vulnerabilityAlerts' configuration

[AlexSkrypnyk]

Context

Split off from #2355 (Harden Renovate config). The root renovate.json currently lacks a vulnerabilityAlerts block, which means GitHub/OSV security advisories flow through the same schedules as routine dependency updates.

Gap

Renovate's vulnerabilityAlerts configuration opts into security advisories with their own schedule, labels, and merge policy, separate from the main dependency update flow. Without it, security-flagged updates wait for the same Sunday/daily schedule windows as routine bumps.

Proposal

Add a top-level block to renovate.json:

"vulnerabilityAlerts": {
  "enabled": true,
  "labels": ["Dependencies", "Security"],
  "automerge": false,
  "dependencyDashboardApproval": false,
  "schedule": ["at any time"]
}

Design decisions

• automerge: false - Drupal SA-CORE advisories occasionally ship in minor releases that bring API changes. Downstream projects inheriting Vortex should not silently merge security updates without review.
• schedule: ["at any time"] - security fixes bypass the Sunday/daily schedule windows used by the main rules.
• Labels ["Dependencies", "Security"] - reuses the existing Dependencies label plus a new Security label for filtering.
• dependencyDashboardApproval: false - vulnerability PRs are created immediately without waiting for explicit approval on the dashboard.

Acceptance criteria

• renovate.json contains the block above.
• Installer fixtures in .vortex/installer/tests/Fixtures/handler_process/ regenerated via ahoy update-snapshots.
• No behavior change for non-security updates.
• Documentation note added if the Security label needs to be created in the template repository.

References

• Renovate docs: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts
• Parent issue: Harden renovate config #2355

[coderabbitai]

🔗 Related PRs

#2126 - [#2125] Added support for Composer 2.9.0 automated security audit. [merged]
#2278 - Add config to Renovate to update root FE deps. [merged]
#2321 - Updated Renovate configuration to name all groups consistently and exclude language version updates. [merged]
#2361 - Updated Renovate docs. [merged]
#2424 - [#2332] Added stability flags workaround and fixed manual trigger bypass for dependency updates. [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!