The correct option is Turn on Dependabot security updates and alerts for the repository. This meets the need to automatically detect vulnerable dependencies and open update proposals while avoiding risky automatic upgrades that could break builds.

This feature monitors manifest and lock files against the GitHub Advisory Database and raises alerts when vulnerabilities are disclosed. It can open pull requests that bump to the minimum secure version within your existing version constraints. It respects semantic versioning and your configuration so it avoids major breaking updates unless you opt in. It does not auto merge by default which lets your team review and ship on your regular release cadence.

Enable CodeQL code scanning focuses on analyzing your source code for security issues and quality concerns. It does not track third party dependency advisories or open pull requests to update packages, so it does not satisfy the requirement.

Pin your package files to the latest available versions forces upgrades to the newest releases and increases the chance of breaking changes. It also does not provide ongoing vulnerability detection or automated pull requests tailored to safe minimal updates.

Manually review each library across multiple advisory sites before adding it is slow and error prone for a codebase with many dependencies. It does not deliver continuous automated alerts or update proposals as new vulnerabilities are published.

Full AWS Practitioner Certification Question