Dependabot for apps

[maureensturgeon]

This creates our dependabot.yml which will allow dependabot to start automatically opening PRs. To start, we will only be using dependabot to upgrade our npm packages. There is a pull request limit of 1, so only 1 dependabot PR can be open at a time. We will be ignoring react dependencies for now, since there is a larger effort already happening to upgrade React. Dependabot upgrades dependencies to the latest version, I looked to see if there was a way to update versions incrementally (for versions that are far behind) and didn't find anything so this may be painful initially.

For more information about configuration see https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates.

Open questions

• Are there other dependencies we should be ignoring besides React?

Follow-ups

• Put in place a process for who reviews dependabot PRs so we can stay on top of them. (DoTD?)
• Add documentation that provides guidance on how to review dependency upgrade PRs. Ex: what to look for in patch, minor and major version upgrades. (I'd love help/guidance with this part)

[jamescodeorg]

Looks good to me, but I think you'll probably want to get some advice on this from the broader team?

[bethanyaconnor]

Thanks for answering my questions in Slack! I don't know much about the dependabot format but the approach makes sense to me. Thanks for leading the way on this!