chore(dependabot): group security

[CorieW]

This pull request updates the .github/dependabot.yml configuration to improve how dependency updates are grouped, labeled, and managed. The changes refine update grouping for both regular and security updates, add commit message customization, and clarify ignored update types.

Dependabot configuration improvements:

• Split dependency update groups into version-minor-and-patch-by-dependency for regular updates and security-minor-and-patch for security updates, with more precise control over which update types are included in each group.

[gemini-code-assist]

Code Review

This pull request updates the Dependabot configuration to introduce specific grouping rules for version and security updates. The reviewer provided feedback regarding the naming of these new groups, noting that 'version-minor-and-patch-by-dependency' is misleading since it groups all dependencies together, and 'security-minor-and-patch' is inconsistent because it includes major updates.

[cabljac]

lgtm

[mikehardy]

An easy supply chain attack hardening win for npm ecosystem is to enable dependabot "cooldown" parameters in concert with package manager config change to disallow packages younger than X days (eg 3)

[cabljac]

An easy supply chain attack hardening win for npm ecosystem is to enable dependabot "cooldown" parameters in concert with package manager config change to disallow packages younger than X days (eg 3)

ooh good point

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-