diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a5a5203..2d50b87 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,8 +2,10 @@ version: 2
 updates:
   # Dev dependencies — Playwright, Vite, http-server, esbuild.
   # No runtime npm deps ship to users, so these are dev-tool hygiene only.
+  # PRs target `dev` so they flow through the normal dev → main review cycle.
   - package-ecosystem: npm
     directory: /
+    target-branch: dev
     schedule:
       interval: weekly
       day: monday
@@ -17,10 +19,17 @@ updates:
         update-types:
           - minor
           - patch
+    # Major bumps are reviewed by a human as needed (vite, playwright, etc.).
+    # Security advisories still open PRs regardless of these ignore rules.
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
 
   # GitHub Actions used by our workflows (checkout, setup-node, codeql, scorecard, ...).
   - package-ecosystem: github-actions
     directory: /
+    target-branch: dev
     schedule:
       interval: weekly
       day: monday
@@ -33,3 +42,7 @@ updates:
         update-types:
           - minor
           - patch
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0d213ea..76bef08 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,6 +10,10 @@ on:
     # badge stays current even when the repo is quiet.
     - cron: '0 6 * * 1'
 
+# Least-privilege default; the analyze job widens this for SARIF upload.
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (javascript-typescript)
@@ -27,10 +31,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -43,6 +47,6 @@ jobs:
               - dist/**
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 23885c4..786a195 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main, dev]
 
+# Least-privilege default; jobs opt in to more if needed.
+permissions:
+  contents: read
+
 jobs:
   e2e-tests:
     name: E2E Tests (Playwright)
@@ -14,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '24'
           cache: 'npm'
@@ -55,7 +59,7 @@ jobs:
 
       - name: Upload test report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: playwright-report
           path: playwright-report/
@@ -63,7 +67,7 @@ jobs:
 
       - name: Upload test results (XML)
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: test-results
           path: test-results/
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 61a022f..59e7d30 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -38,13 +38,13 @@ jobs:
           publish_results: true
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           sarif_file: results.sarif
diff --git a/js/editor.js b/js/editor.js
index 9262cdc..8218d0a 100644
--- a/js/editor.js
+++ b/js/editor.js
@@ -270,7 +270,8 @@ require(['vs/editor/editor.main'], () => {
     if (allCommented) {
       for (let i = startLine; i <= endLine; i++) {
         const line = model.getLineContent(i);
-        const stripped = line.replace(/^(\s*)<!--\s?/, '$1').replace(/\s?-->(\s*)$/, '$1');
+        // --!?> matches both --> and --!>; the latter is rare but legal per the HTML spec.
+        const stripped = line.replace(/^(\s*)<!--\s?/, '$1').replace(/\s?--!?>(\s*)$/, '$1');
         edits.push({ range: new monaco.Range(i, 1, i, line.length + 1), text: stripped });
       }
     } else {