Add dependabot

[UlisesGascon]

Main Changes

The dependabot will check for available updates for the dependencies that we use in the project. In the current setup it will generate PRs once per week if the are new versions for our dependencies (npm and Github Actions).

We can remove npm and limit it to Github Actions, as well we can modify the frequency.

The dependabot is capable of follow the pin version schema introduced in #5432, so it will be able to upgrade and pin the GIthub actions accordantly.

The configuration is very flexible, see the documentation

Context

• Ref: Implementing OSSF Scorecard security-wg#2
• Report: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/expressjs/express/commit/2a00da2067b7017f769c9100205a2a5f267a884b

Changelog

• 8e81a04 chore: add dependabot tool by @UlisesGascon

[shivam-sharma7]

@UlisesGascon you can also set pull request limit and timezone, that would be nice!

[UlisesGascon]

@UlisesGascon you can also set pull request limit and timezone, that would be nice!

Feel free to add a suggestion in the PR directly @shivam-sharma7 👍

[shivam-sharma7]

LGTM

[wesleytodd]

Hey, I just wanted to drop a note in here (I haven't had time to review yet) but we had talked about different approaches to dependency updates for express in the past and this approach does not align with the previous decisions on how we should do this. Once we get a regular cadence of meetings going and get over the hump of kicking everything back off I think we should address this, but I believe that it will take some discussion and alignment. Just didn't want folks to get frustrated if this sat for a while without clarity.

[inigomarquinez]

LGTM!