From 55aa078340d66e2c3737cee6ddbfcb4d58eba6d5 Mon Sep 17 00:00:00 2001
From: Joseph Lewkovich <brzt3x@gmail.com>
Date: Sun, 7 Jun 2026 09:59:39 -0400
Subject: [PATCH 1/2] chore(security): add Dependabot config

Part of the org-wide repo security audit.

This repo has no package.json (front-end assets are loaded via CDN),
so the npm ecosystem block is intentionally commented out as a
template for future use. Only github-actions is active today, which
will keep any future workflow Action versions patched automatically.
---
 .github/dependabot.yml | 45 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..97870e4
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,45 @@
+# Dependabot configuration for jml6m/memory-game
+# Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Audit note (2026-06-07):
+# This repo currently ships no package manifest (no package.json / lockfile).
+# AngularJS and ngDialog are loaded from public CDNs in memory.html, which
+# Dependabot cannot scan. The `npm` block below is left commented as a
+# template for when/if this project migrates to a bundler.
+version: 2
+updates:
+  # Keep any GitHub Actions used in workflows up to date.
+  # Currently no workflows exist, but enabling this preemptively means
+  # any Action added later (incl. an advanced CodeQL workflow) will be
+  # auto-patched.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+
+  # Template — uncomment once a package.json is added to the repo root.
+  # - package-ecosystem: "npm"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "weekly"
+  #   open-pull-requests-limit: 10
+  #   labels:
+  #     - "dependencies"
+  #     - "javascript"
+  #   commit-message:
+  #     prefix: "chore(deps)"
+  #     prefix-development: "chore(deps-dev)"
+  #     include: "scope"
+  #   groups:
+  #     # Batch minor/patch bumps into a single PR to reduce noise.
+  #     minor-and-patch:
+  #       update-types:
+  #         - "minor"
+  #         - "patch"

From a3d47a8271ec1c888204fd4c750e5a00045050bd Mon Sep 17 00:00:00 2001
From: Joseph Lewkovich <brzt3x@gmail.com>
Date: Sun, 7 Jun 2026 10:13:42 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Joseph Lewkovich <brzt3x@gmail.com>
---
 .github/dependabot.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 97870e4..f3c13a9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -17,9 +17,10 @@ updates:
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 5
-    labels:
-      - "dependencies"
-      - "github-actions"
+    # Optional: Dependabot only applies labels that already exist in the repo.
+    # labels:
+    #   - "dependencies"
+    #   - "github-actions"
     commit-message:
       prefix: "chore(deps)"
       include: "scope"