chore: check for package updates using dependabot monthly

[jlosito]

Motivation

I use repolinter in my devDependencies in order to check my repository. I've gotten a couple of security notifications from GitHub due to third-party libraries linked to repolinter. This change should help trying to keep dependencies up-to-date.

Proposed Changes

This will use dependabot to check for package udpates on a monthly basis. If there are any updates, dependabot will submit a pull request with a version bump.

Test Plan

There should be several pull requests made from dependabot.

[hyandell]

Naive question - how does this differ from having Dependabot turned on and opening PRs like #325 ?

[jlosito]

One that is currently being used is just around security issues. The one I am proposing is regardless whether there is a security issue or not.

[hyandell]

Got it. This is a constant keep it fresh script.

Sounds good; but I'm unsure if there are enough eyeballs looking at merging things in [i'm very much an absent inherited-this maintainer, with one of my dayjob colleagues often helping out]. I've been leaning more to archiving the repository, perhaps switching to something simpler/newer for my dayjob needs.

[jlosito]

I can very much relate.

It's probably not in your best interest to approve this change then. It can be very noisy. I created an issue with dependabot several months ago to provide cron expressions so that users can configure quarterly, semiannual, annual, etc. No traction on the update upstream though.

[hyandell]

Thanks for your understanding. I've kicked off a thread on the TodoGroup Slack's repolinter channel to see what interest there is there in the project.