Rollup updates, enable auto dependabot merging

[jssblck]

Overview

Rolls up outdated packages.

In addition:

• Enables dependabot for node dependencies
• Enables auto merging of dep update PRs that pass tests

Checklist

• If I changed code, I ran yarn build and committed resulting changes.
• I added an example exercising this PRs functionality to .github/workflows/test.yml or explained why it doesn't make sense to do so.

[pieterocp]

What if dependabot is suggesting a hijacked 3rd party dependency?

Am I correct in the assumption that it'd be merged without a human reviewing the changes?

[jssblck]

What if dependabot is suggesting a hijacked 3rd party dependency?

Am I correct in the assumption that it'd be merged without a human reviewing the changes?

Hey @pieterocp! Good point- we do this for some other internal repositories since we have FOSSA checking them for vulnerability issues, but after discussing internally we agree this isn't a good fit for the GitHub Action.

The good(?) news is no significant upgrades have been performed automatically, so we'll double check the few that have and proceed from there manually.

Thanks for the nudge here, we appreciate it!

[pieterocp]

No worries boss, it's probably fine but in the world where contributors can give the reins over to a "Jia Tan" or have an account compromised, better be careful.

It's a bit droll but an action can wait a bit, assuming that there's no security implications from the underlying libraries being used.

[jssblck]

Yep, our thoughts exactly!