diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index eafe5a5..761a86f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,6 +21,7 @@ stages:
   - check
   - test
   - secret-detection
+  - security
 
 sast:
   stage: test
@@ -32,7 +33,7 @@ include:
 variables:
   SECRET_DETECTION_ENABLED: "true"
   PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
-  POETRY_VERSION: "1.8.3"
+  POETRY_VERSION: "2.1.1"
   POETRY_VIRTUALENVS_IN_PROJECT: "true"
 
 secret_detection:
@@ -84,3 +85,33 @@ pytest:
         path: coverage.xml
     when: always
     expire_in: 7 days
+
+dependency-update:
+  stage: security
+  # fresh install — don't reuse cached venv since we're updating packages
+  cache: []
+  script:
+    - apt-get update -qq && apt-get install -y -qq libcap-dev git curl
+    - pip install poetry==$POETRY_VERSION
+    - poetry install --without pi --no-interaction
+    - chmod +x scripts/dependency_update.sh scripts/create_mr.sh
+    # run update — exits 0 if no changes, 1 if changes found
+    - |
+      set +e
+      bash scripts/dependency_update.sh
+      UPDATE_EXIT=$?
+      set -e
+      if [ $UPDATE_EXIT -eq 1 ]; then
+        echo "Changes found — creating merge request"
+        bash scripts/create_mr.sh
+      else
+        echo "No changes — skipping merge request"
+      fi
+  rules:
+    # run on push to main
+    - if: '$CI_COMMIT_BRANCH == "main"'
+    # run on schedule
+    - if: '$CI_PIPELINE_SOURCE == "schedule"'
+    # never run on dependency-update branches to avoid loops
+    - if: "$CI_COMMIT_BRANCH =~ /^dependency-updates-/"
+      when: never