Add dependabot

[snss231]

Summary:

Fixes #771

Changes Made:

• Add yaml config file to enable dependabot

This PR will configure dependabot to create PRs to update outdated npm dependencies at a weekly interval (at a random time). As far as I understand, it will help us identify outdated packages and reduce the mundane workload when updating our dependencies.

I set the open-pull-requests-limit to 20 since we have a large number of outdated dependencies but maybe our more experienced developers can further advise on the config 🙂

Proposed Commit Message:

CATcher uses many npm packages.

Let's add dependabot to our repository to help us
with the process of updating our deprecated or 
vulnerable dependencies.

[codecov-commenter]

Codecov Report

Base: 58.12% // Head: 58.08% // Decreases project coverage by -0.04% ⚠️

Coverage data is based on head (d678fb5) compared to base (264f6be).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #991      +/-   ##
==========================================
- Coverage   58.12%   58.08%   -0.05%     
==========================================
  Files         100      100              
  Lines        2295     2295              
  Branches      260      260              
==========================================
- Hits         1334     1333       -1     
  Misses        917      917              
- Partials       44       45       +1     

Impacted Files	Coverage Δ
src/app/shared/issue-tables/issue-sorter.ts	43.47% <0.00%> (-4.35%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[kkangs0226]

The yml file looks good to me, but perhaps other senior developers who have worked with dependabot before can help to cross-check before we merge this pull request. 😀

Other developers who are also unfamiliar with dependabot, this is the document that I referred to: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

Also, would like to know other developers' thoughts of adding one more package-ecosystem for Github Actions.

[chunweii]

I think the dependabot config is okay. However, I think most of the outdated packages in our repo are due to the outdated Angular version that we are using. I do not think we should upgrade these dependencies without upgrading Angular to the LTS version, unless there are severe security vulnerabilities or any critical fixes required. That's why it is important to keep Angular up to date.

Also, would like to know other developers' thoughts of adding one more package-ecosystem for Github Actions.

I think this is a good idea too.

[kkangs0226]

@CATcher-org/developers Please let us know your thoughts on @chunweii 's comment. From the Dependabot document, it seems quite safe to have Dependabot automatically introduce changes since we can run tests & review the updates:

When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it.

[gycgabriel]

I have not used Dependabot myself, but according to the documentation:

Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository.

I think it is possible for CATcher to use Dependabot even if we do not use the latest version of Angular, if Dependabot accounts for the current version of Angular/Typescript CATcher is using before suggesting dependency upgrades.

[kkangs0226]

@gycgabriel Thanks for your input. I think we can proceed to merge this PR

[kkangs0226]

LGTM