Add dependabot.yml for dependency version updates

[kanwalpreetd]

What

Adding base config for dependabot.yml, which enables automatic PRs for dependency version updates through Dependabot. This base config sets version updates to run on a weekly schedule, groups PRs for version updates according to major vs minor/patch updates, and sets max PRs that Dependabot can create for version updates per package-ecosystem. But if you would like, several config options can be added to dependabot.yml as per configuration-options-for-the-dependabot.yml-file to customize version updates, such as:

• Group PRs for version updates by different criteria
• Set dependency-type option in allow option to all for enabling version updates for both direct and indirect dependencies (as well as prod and dev dependencies). By default, PRs for only updating direct prod+dev dependencies versions are created.
• Set reviewers for Dependabot version updates PRs
• Etc.

Also, automatic PRs for security updates through Dependabot are enabled through a global setting. PRs for security updates will be grouped as much as possible across directories and per ecosystem through the global setting (grouping-dependabot-security-updates). But dependabot.yml can also be used for more granular security updates settings in addition to version updates (some of the options in dependabot.yml are shared across security and version updates), such as:

• Grouping security updates according to custom criteria: overriding-the-default-behavior-with-a-configuration-file
• Only allowing automatic PRs for security updates for certain dependencies by configuring allow directive to a certain value such as production, development, direct, indirect. By default, security updates are applied to all dependencies (direct, indirect, production, development).
• Etc.

Why

To enable using the latest package versions, and provide a way to customize Dependabot security updates PRs.

Known limitations

N/A

[kanwalpreetd]

Will this present updates for security updates only or any releases? We likely will not apply non-security updates because this is a library and frequently affecting importers dependency graphs is something I'd like to avoid.

This config is for any release primarily. So, if you don't want to apply non-security updates, it can be closed.

Security updates are already applied through the global org setting, but how PRs are created for security updates can be configured more granularly through this file if needed (but if we don't see any issue with the way security updates PRs are working currently, there is no need to change it)