Add dependabot

[sanders41]

Purpose

Keep dependencies up to date.

Changes

• Add a dependabot.yaml file

Checklist

• Update CHANGELOG.md file
  • Merge in main so the most recent CHANGELOG.md file is being appended to
  • Add description within the Unreleased section in an appropriate category. Add a new category from the list at the top of the file if the needed one isn't already there.
  • Add a link to this PR at the end of the description with the PR number as the text. example: #1
• Applicable documentation updated (guides, quickstart, postman collections, tutorial, fidesdemo, database diagram.
• If docs updated (select one):
  • documentation complete, or draft/outline provided (tag docs-team to complete/review on this branch)
  • documentation issue created (tag docs-team to complete issue separately)
• Good unit test/integration test coverage
• This PR contains a DB migration. If checked, the reviewer should confirm with the author that the down_revision correctly references the previous migration before merging
• The Run Unsafe PR Checks label has been applied, and checks have passed, if this PR touches any external services

Ticket

Fixes #

[TheAndrewJackson]

@sanders41 Everything looks good to me but I'm not sure how to validate that the yaml file works as expected since it runs once a week. Do you know if there is a way to do that?

[sanders41]

We can manually run it at any time, but not until the yaml file is in place. It is basically like the workflow files, no way to test first. The good news is it just opens PRs so if anything is wrong we can close the PR and try again so no harm done.

[TheAndrewJackson]

Oh I see. That makes sense. Once the changelog conflicts are fixed I'll merge it in 👍

[sanders41]

I fixed the conflict.

[daveqnet]

@sanders41 & @TheAndrewJackson, let me know how you get on with the volume of Dependabot auto-PRs in this repo when it's configured for version updates.

My experience of it is that it's very noisy, especially in repos with npm manifest files, creating one PR per dependency bump per manifest file.

From a security perspective there's no issue if the PRs keep getting reviewed and merged, but I'd be slightly concerned about PR fatigue in the fidesops team, resulting in a security update being missed.

An alternative could be to just configure it for security updates or even just fall back to alerts.

The levels of Dependabot go something like:

1. Dependency graph enabled
2. Dependabot alerts enabled
3. Dependabot security updates enabled
4. Dependabout version updates enabled
5. Dependabot PRs auto-merged without human review

I'm happy with just alerts enable for most repos. Anyway, please let me know how it goes.