microsoft · MaanavD · May 27, 2026 · May 27, 2026 · May 28, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,104 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+# Dependabot configuration for Foundry-Local.
+# Enables weekly version updates across all package ecosystems in the repo.
+# Security updates are managed separately in repository settings
+# (Settings -> Code security -> Dependabot security updates).
+#
+# Docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 
 version: 2
 updates:
-  - package-ecosystem: "" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # ----- GitHub Actions -----
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "weekly"
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - github-actions
+
+  # ----- npm: SDKs + website -----
+  - package-ecosystem: npm
+    directories:
+      - /sdk/js
+      - /sdk_legacy/js
+      - /www
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - javascript
+
+  # ----- npm: JS samples -----
+  - package-ecosystem: npm
+    directories:
+      - /samples/js/audio-transcription-example
+      - /samples/js/chat-and-audio-foundry-local
+      - /samples/js/copilot-sdk-foundry-local
+      - /samples/js/electron-chat-application
+      - /samples/js/embeddings
+      - /samples/js/langchain-integration-example
+      - /samples/js/live-audio-transcription
+      - /samples/js/native-chat-completions
+      - /samples/js/tool-calling-foundry-local
+      - /samples/js/tutorial-chat-assistant
+      - /samples/js/tutorial-document-summarizer
+      - /samples/js/tutorial-tool-calling
+      - /samples/js/tutorial-voice-to-text
+      - /samples/js/verify-winml
+      - /samples/js/web-server-example
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - javascript
+      - samples
+
+  # ----- Python: SDK + samples -----
+  - package-ecosystem: pip
+    directories:
+      - /sdk/python
+      - /samples/python/audio-transcription
+      - /samples/python/embeddings
+      - /samples/python/langchain-integration
+      - /samples/python/live-audio-transcription
+      - /samples/python/native-chat-completions
+      - /samples/python/tool-calling
+      - /samples/python/tutorial-chat-assistant
+      - /samples/python/tutorial-document-summarizer
+      - /samples/python/tutorial-tool-calling
+      - /samples/python/tutorial-voice-to-text
+      - /samples/python/verify-winml
+      - /samples/python/web-server
+      - /samples/python/web-server-responses
+      - /samples/python/web-server-responses-vision
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - python
+
+  # ----- .NET / NuGet: SDK -----
+  - package-ecosystem: nuget
+    directories:
+      - /sdk/cs/src
+      - /sdk/cs/test
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - dotnet
+
+  # ----- Rust: SDK -----
+  - package-ecosystem: cargo
+    directory: /sdk/rust
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - rust
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,55 @@
+# Auto-merge Dependabot PRs.
+#
+# Behavior:
+#   - Security updates of any semver level: auto-approve + enable auto-merge (squash).
+#   - Non-security patch / minor updates: auto-approve + enable auto-merge.
+#   - Major version bumps: only auto-approve; a human reviewer must merge.
+#
+# Requirements (enable in repo settings if not already):
+#   - Settings -> General -> "Allow auto-merge"
+#   - Settings -> Code security -> "Dependabot security updates" = enabled
+#   - A branch protection rule on the default branch with required status checks
+#     so auto-merge waits for CI to pass before merging.
+#
+# Docs: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for security updates
+        if: steps.meta.outputs.alert-state == 'AUTO_DISMISSED' || steps.meta.outputs.ghsa-id != ''
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for patch/minor version updates
+        if: steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/samples/js/electron-chat-application/package.json b/samples/js/electron-chat-application/package.json
@@ -16,6 +16,6 @@
     "foundry-local-sdk-winml": "latest"
   },
   "devDependencies": {
-    "electron": "^34.5.8"
+    "electron": "^39.8.5"
   }
-}
+}
diff --git a/samples/js/langchain-integration-example/package.json b/samples/js/langchain-integration-example/package.json
@@ -7,11 +7,11 @@
     "start": "node app.js"
   },
   "dependencies": {
-    "@langchain/core": "latest",
+    "@langchain/core": "^0.3.80",
     "@langchain/openai": "latest",
     "foundry-local-sdk": "latest"
   },
   "optionalDependencies": {
     "foundry-local-sdk-winml": "latest"
   }
-}
+}
diff --git a/sdk_legacy/js/package-lock.json b/sdk_legacy/js/package-lock.json
diff --git a/sdk_legacy/js/package.json b/sdk_legacy/js/package.json
@@ -48,5 +48,11 @@
     "typescript": "^5.2.2",
     "unbuild": "^3.5.0",
     "vitest": "^3.1.3"
+  },
+  "overrides": {
+    "postcss": "^8.5.10",
+    "vite": "^6.4.2",
+    "defu": "^6.1.5",
+    "picomatch": "^4.0.4"
   }
-}
+}
diff --git a/www/package-lock.json b/www/package-lock.json