[TASK] Added Dependabot to check for dependency updates

[GoliathLabs]

Description

I already use Dependabot for many projects. With Dependabot it is relatively easy to stay up to date with the dependencies and packages used. Instead of always checking for updates manually, you can use the dependabot.yml configuration to tell Dependabot to check the project once a week for new releases of e.g. the npm/yarn dependencies that are used or newer Docker image tags. If there are new updates, a new pull request is automatically created for them.

Motivation and Context

Since this procedure takes at least some work off my hands over at my projects, I wanted to ask if you would be up to using it as well.

How Has This Been Tested?

Screenshots/links (if appropriate):

Checklist:

• [X] My code follows the code style of this project. (CI will test it anyway and also needs approval)
• [X] My change requires a change to the documentation.
• [X] I have updated the documentation accordingly.

[xf-]

Hi,

I will take a look at some point, but GitHub has similar features integrated without any tooling.

We have two types of dependencies:

1. "normal": Libraries meshviewer uses. Some of them are outdated, but the problem is some new versions won't work the old loading system, so most of the libraries are at maximum version and will not receive a lot of updates anymore
2. "development" That's just a build pipeline and will not be included in any build. It is nice, if there are up2date, but all the issues normally won't affect the currently working build.

I will never use npm. Horrible tool compared to yarn.

[GoliathLabs]

@xf- Hi, Dependabot is a tool from GitHub which you even did use with a few dependencies which had security issues.

Dependabot uses ecosystems for it's configuration. the npm ecosystem does include the yarn package manager and does update the packages accordingly (see: https://github.com/ffrgb/meshviewer/commit/bdb63645387b8e4f678fecb4def65e9b170dd47c)

[xf-]

I never used dependabot as merge. I always upgrade all dependencies, but somebody did.

What is the difference to GitHub, it does already by them self.

In general, I try to avoid to increase dependencies to GitHub specific features.

About NPM covering also yarn s stupid naming on GitHubs side. NodeJS is Lang and NPM uses a different look file. Didn't knew that and only seeing your commit message with the change to npm.

Like i wrote, i will think about it. My Inital thought is, there is no need to add it. I see no advantage adding it and in general most libarys have incompatible new version and best thing would be a rewritten meshviewer with modern module loader. I want to test updates before they are added into develop/main branches.