dev: add dependabot to maintain deps

[tefkah]

• dev: add dependabot
• dev: add yaml extension suggestion

Issue(s) Resolved

Dependencies going out of date and being annoying to update.

High-level Explanation of PR

Adds a dependabot.yml with some relatively arbitrary settings.

dependabot recently added support for pnpm workspace catalogs which we we recently introduced. This means we can use it now, as our most important dependncies are managed in workspaces.yml.

In case you are unaware of what dependabot is: basically a bot that puts up PRs updating dependencies that have gone out of date.

How to handle dependabot pull requests.

Given that we now have a reasonably robust test-suite, i feel relatively comfortable merging in patch/minor version updates if they pass our tests. For major versions we should still do some sleuthing I think.

I have set it up st it will put up PRs on monday. Given i'm usually the first person online, I'm happy to go through the PRs and handle them.

Proposal

• minor/patchs updates:
  • if dependabots minor/patch PR(s) pass our tests, we just merge them in.
• major updates:
  • if the PR passes tests
    - run it locally once going through some things.
    - merge if it feels right
  • if the PR does not pass tests
    • try to make it pass tests
      • do some local testing, then request review
    • if unable to make it pass tests easily
      • make proposal on whether to merge it in or not
  • for core dependencies (next, react, kysely, those in the catalogs)
    - unlikely that they pass tests anywan
    - first discuss with team whether major version update is desired

Test Plan

Screenshots (if applicable)

Notes