chore: update dependencies and add Dependabot (closes #53)

- better-sqlite3 9 → 12 (Node.js ≥22 required, already enforced)
- dotenv 16 → 17 (minor: logging now enabled by default)
- express-rate-limit 7 → 8 (IPv6 /56 subnet grouping, no deprecated options used)
- express-session 1.18 → 1.19
- helmet 8.0 → 8.1
- googleapis 144 → 171
- tsdav 2.0 → 2.1
- Add .github/dependabot.yml for automated weekly npm updates

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "oikos",
-  "version": "0.20.7",
+  "version": "0.20.8",
   "description": "Self-hosted family planner - calendar, tasks, shopping, meal planning, budget and more. Private, open-source, no subscription.",
   "main": "server/index.js",
   "type": "module",
@@ -25,17 +25,17 @@
   },
   "dependencies": {
     "bcrypt": "^6.0.0",
-    "better-sqlite3": "^9.6.0",
-    "dotenv": "^16.4.7",
+    "better-sqlite3": "^12.9.0",
+    "dotenv": "^17.4.2",
     "express": "^4.21.2",
-    "express-rate-limit": "^7.5.0",
-    "express-session": "^1.18.1",
-    "helmet": "^8.0.0",
+    "express-rate-limit": "^8.3.2",
+    "express-session": "^1.19.0",
+    "helmet": "^8.1.0",
     "node-fetch": "^3.3.2"
   },
   "optionalDependencies": {
-    "googleapis": "^144.0.0",
-    "tsdav": "^2.0.10"
+    "googleapis": "^171.4.0",
+    "tsdav": "^2.1.8"
   },
   "license": "MIT",
   "devDependencies": {