disable dependabot PRs (for non-security updates)

[prandla]

most dependency updates are completely irrelevant for us. (especially transitive deps.) security updates are theoretically an exception, but those aren't disabled by this change.

currently the flood of dependabot PRs which we never merge is just email spam and a waste of CI time (well, not that i'm particularly sorry for wasting github's resources, but still).

Martin proposed just updating deps at the start of a development cycle, which seems reasonable to me. if we decide we like dependabot enough, then we can re-enable it just for that occasion, but i'd also be happy to just bump the deps by hand.

(source for the separate security PR limit claim.)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.68%. Comparing base (9cf7674) to head (bf3b528).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1680      +/-   ##
==========================================
- Coverage   54.68%   54.68%   -0.01%     
==========================================
  Files         336      336              
  Lines       27501    27501              
==========================================
- Hits        15040    15038       -2     
- Misses      12461    12463       +2     

Flag	Coverage Δ
functionaltests	0.00% <ø> (ø)
unittests	54.68% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.