enable Dependabot v2

[sullis]

https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

[joakime]

Dependabot warnings and notices are already enabled for this project.

However, due to legal reasons, we do not support the features of dependabot that automatically updates the dependencies in the project.

[janbartel]

@joakime is there a change that @sullis can make that would make this PR acceptable?

[joakime]

He could explain what this does, and what he hopes for the project.

We already have the dependabot warnings and notices enabled for this project for incoming changes.
We also have the dependabot external notifications setup to allow other projects to benefit from our changes in their dependabot enabled projects.
(example: jetty-project/jetty-maven-wagon#8)

If this PR is meant to automatically upgrade our dependencies, that we cannot support due to Eclipse Legal and lack of ECA in that process.

I'll give the OP 24 hours to reply, if I don't get anything i'm closing this PR.

[olamy]

we will get a lot of (noisy?) pr to update our external dependencies such maven plugins, librairies(mongo, hazelcast)
I'm ok to give a try but do we really want to use every last version for everything? I'm happy to be compatible with old versions of infinispan, mongo etc...
thoughts?

[olamy]

@joakime this doesn't update automatically the project but create PR so we can look if it need some Eclipse IP request.

[gregw]

@olamy the generated PRs are not building and they are targeting 10, when 9 with merge forward would be better.

Could we just change this to a weekly or monthly report?

[olamy]

@gregw already changed to weekly 084db19
as far I understand the tool can work only on the main branch dependabot/dependabot-core#2159 maybe it's possible with using the UI (but I don't have the access to setup this in this project and not sure how to do it)