v2 - configure dependabot

[gillchristian]

Most of the PRs are just closed PRs to dependabot. The default config is annoying and doesn't really work. But we can change that.

Introduce a config file (https://dependabot.com/docs/config-file/) to:

• Limit the rate to 2 weeks (or monthly otherwise). Every 1 week feels like too much.
• Only do it for security update or minor/major. Patches also feel like too much.
• Update package.json as well, not only the lockfile.

If any other interesting features can be configured, please mention them so we can make better use of the tool.