🛠 Tooling: Automerge dependabot PRs for new versions older than 3 days

[JoshuaKGoldberg]

Tooling Report Checklist

• [X] I have pulled the latest main branch of the repository.
• [X] I have searched for related issues and found none that matched my request.
• [X] This is the appropriate issue form for the tooling issue I would like to report.

Expected

I have two conflicting desires:

• I don't want to have to manually merge dependabot PRs. They should be merged automatically.
• PRs shouldn't immediately merge ASAP, in case there is a malicious package version. We should only merge them once the version has been in the wild for long enough to let security alerts be fired on it.

Example of the incident kind I want to avoid: https://snyk.io/blog/open-source-npm-packages-colors-faker/

Actual

Dependabot PRs don't automatically merge right now.

Additional Info

I don't know whether dependabot has a way to wait some number of days after a version is released. If there is, that'd be ideal.

If not, some kind of action that's pending for 3 days after PR creation would be nice. I don't know if that's doable either.

I haven't looked into this very much 😄.