Update Dependabot configuration for package ecosystem (#217)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: chrisguidry

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+While docket is in the 0.x series, only the latest release receives security updates. Once we reach 1.0, we'll revisit this policy to provide longer-term support guarantees.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+| < latest | :x:               |
+
+## Reporting a Vulnerability
+
+To report a security vulnerability, please use GitHub's private vulnerability reporting feature:
+
+1. Go to the [Security tab](https://github.com/chrisguidry/docket/security) of this repository
+2. Click "Report a vulnerability"
+3. Fill out the form with details about the vulnerability
+
+We will acknowledge receipt within 7 days and provide an initial assessment within 14 days.
+
+Please do not open public issues for security vulnerabilities.