Enable dependabot updates

[GoliathLabs]

Description:
I already use Dependabot for many projects. With Dependabot it is relatively easy to stay up to date with the dependencies and packages used. Instead of always checking for updates manually, you can e.g. use the dependabot.yml configuration to tell Dependabot to check the project once a week for new releases of the Python packages that are used. If there are new updates, a new pull request is automatically created for them.

Since this procedure takes at least some work off my hands over at my projects, I wanted to ask if you would be up to using it as well. The configuration file is quickly created and dependabot then runs without further ado.

[DMRobertson]

We would like to take advantage of Dependabot, but the first order of business is to use a dependency specification and formal lockfile: #11537.

[GoliathLabs]

@DMRobertson Okay, good to know. Thanks for the quick response

[DMRobertson]

We have dependabot PRing security updates now that we use locked dependencies.

Next steps would be to

• decide if we (@matrix-org/synapse-core) want to use dependabot for non-security upgrades
• if so, configure it to do so.

Last time we talked about this I think there was general agreement this was probably worthwhile? We already test against latest deps in CI and this pulls in useful bugfixes (e.g. recent frozendict memory leak fixes.)

[GoliathLabs]

@DMRobertson Good to hear. Dependabot can be configured quite easily (see: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates).

For myself, Dependabot takes some of the work off my hands as it keeps track of (non-)security upgrades and notifies me once a month (can be configured as desired). For larger projects or organizations this could be done daily or weekly (see: https://github.com/cinnyapp/cinny/blob/dev/.github/dependabot.yml)