diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..de39762
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,33 @@
+version: 2
+updates:
+  # npm — TypeScript MCP server
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    labels: ["dependencies", "security"]
+    # Group patch + minor updates into a single PR per package-ecosystem.
+    # Major bumps still get their own PR for human review. Mergify
+    # batches the resulting PR group via .mergify.yml's "dependencies"
+    # queue.
+    groups:
+      npm-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions — workflow dependency updates (pinned by SHA)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels: ["dependencies", "ci"]
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b516e07..32373ed 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.7
 
-      - uses: actions/setup-node@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: npm
diff --git a/.mergify.yml b/.mergify.yml
new file mode 100644
index 0000000..7827c57
--- /dev/null
+++ b/.mergify.yml
@@ -0,0 +1,31 @@
+# Mergify config — Dependabot batching for cueapi-mcp.
+#
+# Regular PRs are auto-merged via the maintainer when CI is green.
+# Mergify's job here: batch Dependabot version-bump PRs so we don't
+# burn N CI runs and N npm-publish triggers for what's effectively
+# one weekly maintenance window.
+
+queue_rules:
+  - name: dependencies
+    # ``merge_method`` lives on the queue rule (Mergify v2).
+    merge_method: squash
+    batch_size: 5
+    batch_max_wait_time: 30 m
+    merge_conditions:
+      # Mirrors the required check from .github/workflows/ci.yml.
+      # Update both together if the workflow's job name changes.
+      - check-success=Typecheck, Test, Build
+
+pull_request_rules:
+  - name: batch-merge Dependabot PRs
+    conditions:
+      - or:
+          - author=dependabot[bot]
+          - author=dependabot
+      - base=main
+      - -draft
+      - -conflict
+      - label=dependencies
+    actions:
+      queue:
+        name: dependencies