doc(security-policy): Add a section on dependency updates

[tonyo]

This updates the repository security policy to clarify how we approach dependency updates in the event of detected security issues.

In the (new) "Dependency Update Policy" section we try to clarify why we don't want to bump versions of certain dependencies, even if security scanners report them as vulnerable (e.g. #633).

Closes #640

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.08 ⚠️

Comparison is base (eec094e) 79.72% compared to head (44da9c6) 79.64%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #641      +/-   ##
==========================================
- Coverage   79.72%   79.64%   -0.08%     
==========================================
  Files          38       38              
  Lines        3896     3896              
==========================================
- Hits         3106     3103       -3     
- Misses        681      683       +2     
- Partials      109      110       +1     

see 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.