Repo hygiene: remove package-lock.json, harden Actions, add Dependabot cooldown

[Copilot]

Addresses several maintenance and security hygiene items: remove package-lock.json from tracking, update GitHub Actions versions, enforce credential safety on checkout, and throttle Dependabot update frequency.

Changes

• .gitignore — Added package-lock.json to prevent re-commit
• package-lock.json — Deleted from repo
• codeql-analysis.yml / ci.yml — Updated actions/checkout to v4; added persist-credentials: false to both checkout steps to avoid persisting credentials in the local git config
• dependabot.yml — Added cooldown: default-days: 7 to both npm and github-actions ecosystems to introduce a 7-day delay before Dependabot opens update PRs

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Updates</issue_title>
<issue_description>lets make the following changes

• Remove package-lock.json
• update codeql-analysis github actions to latest versions
• actions/checkout should have persist-credentials: false set.
• Dependabot Dependencies should have a cooldown period of 7 days</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Updates #91

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR focuses on repository maintenance/security hygiene by removing the npm lockfile from version control and tightening GitHub Actions + Dependabot configuration.

Changes:

• Update GitHub Actions workflows to use actions/checkout@v4 and disable credential persistence via persist-credentials: false.
• Remove package-lock.json from the repo.
• Add a 7-day Dependabot cooldown for both npm and github-actions ecosystems.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/codeql-analysis.yml	Bumps checkout action to v4 and disables persisted credentials for the CodeQL workflow.
.github/workflows/ci.yml	Bumps checkout action to v4 and disables persisted credentials for CI.
.github/dependabot.yml	Adds a 7-day cooldown to Dependabot update configuration.
package-lock.json	Removes the committed npm lockfile from the repository.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

package-lock.json is being removed/ignored, but this workflow still uses actions/setup-node with cache: npm and runs npm ci. Both typically require a committed lockfile; without it the job is likely to fail. Either keep package-lock.json tracked, or switch CI to npm install and remove/adjust npm caching accordingly.