fix: standardize on Node 22, harden HTTP layer, add dependabot

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [18, 20, 22]
+        node-version: [22.x, 24.x]
 
     steps:
       - name: Checkout

CHANGELOG.md

@@ -26,6 +26,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Configurable request timeout (`timeoutMs`, default 30s) enforced via `AbortSignal.timeout`
+- `.github/dependabot.yml` for weekly npm and GitHub Actions dependency updates
+
+### Changed
+
+- Standardized on a Node.js 22 baseline: CI matrix now `[22.x, 24.x]`, `tsup` target `node22`, `@types/node` bumped to `^22`
+- Network/transport failures and timeouts in the HTTP layer are now converted into typed `AteraError` instances instead of throwing raw `TypeError`
+
+### Security
+
+- Ran `npm audit fix`; remaining advisories are confined to the bundled `npm` CLI and `esbuild`/`vite` dev tooling (transitive, dev-only, require breaking major bumps)
+
 ## [0.1.0] - 2026-02-04
 
 ### Added