Setup dependabot.yml

[jaredpalmer]

GitHub recently acquired Dependabot and there is a new GitHub-native way to do the setup.

https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates

@agilgur5 docs seem pretty straightforward. I enabled it on tsdx via the dependabot app, but it appears that the yaml config allows for more granular control over things. I think we can safely set it to for weekly checks. As for rest of setup (ie auto-rebasing and automerging and pr limits), I will leave those decisions to you.

[agilgur5]

https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates

@jaredpalmer yea I was looking at this last night to try and configure security updates to ignore /website but this is for dependency upgrades (it says ignore affects both but not if 0 PR limit affects both -- asked support).

What I didn't like (besides the bugs) with Snyk was that it was making PRs for patches and minors even though those aren't pinned anyway -- they're unnecessary. It sounds like dependabot's version upgrades are the same, though not clear in practice how the widen versioning strategy works if already inclusive.

But Greenkeeper was basically only monitoring for patches and minors that failed tests and otherwise would only raise PRs for major bumps (i.e. outside of the pinned range), which wasn't unnecessary and was sometimes helpful (would still need batching together and sometimes no one was requesting the update). It's not clear from the docs if dependabot covers potentially useful majors or only unnecessary minors/patches.

@agilgur5 docs seem pretty straightforward. I enabled it on tsdx via the dependabot app, but it appears that the yaml config allows for more granular control over things

Oh, well the Dependabot app uses .dependabot/config.yml whereas native uses .github/dependabot.yml so I think you'll have to uninstall the app in order to use native and not duplicate or something

[jaredpalmer]

Uninstalled. Try it now