Support Dependabot updates by dependency-type and dependency name

[chdsbd]

We can use the new Dependabot PR metadata to support updates by dependency type (production vs development) and dependency name (react, io-ts, etc.)

We currently parse Dependabot PR titles to determine the semver upgrade type. Instead we could use this new metadata. https://github.com/chdsbd/kodiak/blob/9793fd968d216209df0e41478139789c5d8aced3/bot/kodiak/test_dependencies.py#L8

Here's some documentation on the new options: https://github.com/dependabot/fetch-metadata/blame/0653935879f461a2c62bbc04e314a09d6dbe5e6a/README.md#L32-L37

Here's an example of the new metadata: https://github.com/dependabot/fetch-metadata/blob/0653935879f461a2c62bbc04e314a09d6dbe5e6a/src/dependabot/update_metadata.test.ts#L26-L31

related: https://github.com/dependabot/dependabot-core/issues/2294#issuecomment-854841028

[jbergstroem]

It would be very interesting to use the compatibility scores to decide wether to land or not as well (https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates#about-compatibility-scores) - for instance compatibility > 90.

The only quirk I've noticed is that the number can fluctuate quite a bit as the test suites are being collected in open repos. In one PR I just notice a 5 point different in a refresh.

(Also, a minor sidenote on not being sure where this data is exposed publicly other than the svg)

[chdsbd]

It seems like we'd need to extract the URL from the body, make a request to it, then parse the compatability info from the SVG. I'm curious how reliable the dependabot-badges service would be and how they might rate limit Kodiak.

https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mixin-deep&package-manager=npm_and_yarn&previous-version=1.3.1&new-version=1.3.2