Github Dependabot could detect and update packages that have known vulnerabilities. Not only it checks the package.json, but also the package-lock.json. Usually, when Dependabot finds the available update of the package to fix security vulnerability, it will submit an automated pull request. However, in the case of Dependabot cannot update to the required version, we need to manually update NPM.
The right way to move your existing code to Github Repository, so it shows the correct user name. Also, you should make sure only to check in the files you wanted by using .gitigonore. Furthermore, use SSH instead of HTTPS, so you don't need to log in every time you push or pull.