chore: enable GitHub Dependabot

[ylemkimon]

Dependabot is now part of GitHub and can be configured within the repo.

Regarding #2035, I think we should enable it for all dependencies as (1) KaTeX build process may break even if it's minor update as in #2301, (2) it's easier to review and fix when there are few changes to the dependency, and (3) performance and compatibility might improve.

By default, it raises a maximum of five pull requests, and this value is configurable. I think this is a reasonable amount. There seems to be an auto-merge feature, if the backlog of PRs is a concern.

As most of our dependencies are outdated, I think we should get #2301 merged first, before enabling Dependabot.

[ronkok]

@ylemkimon I agree with this PR and I agree that PR #2301 should be merged first. If you could update these branches with the base branch, I would be happy to give them a positive review.

In the meantime, I have a question. In my local repository, I just tried to run git fetch upstream. The command failed and the message told me that it "cannot lock ref 'refs/remotes/upstream/dependabot'". It had a similar problem with the typescript branch. Do you have any idea how I should proceed?

[ylemkimon]

@ronkok Try git gc --prune=now, git remote prune upstream, and deleting .git/refs/remote/upstream (from Stack Overflow, edited). I've updated #2301.

[codecov-commenter]

Codecov Report

Merging #2311 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #2311   +/-   ##
=======================================
  Coverage   94.76%   94.76%           
=======================================
  Files          84       84           
  Lines        5382     5382           
  Branches      943      943           
=======================================
  Hits         5100     5100           
  Misses        258      258           
  Partials       24       24           

Flag	Coverage Δ
#screenshotter	88.48% <ø> (ø)
#test	88.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8a24907...a3ccf9c. Read the comment docs.

[ronkok]

I want to thank you for your attention to all the infrastructure details. It's not easy keeping up with Javascript churn.

[ylemkimon]

@ronkok Thank you for the review!

[ylemkimon]

I can confirm the Dependabot is running on GitHub: https://github.com/KaTeX/KaTeX/network/updates/39449665.

[kevinbarabash]

Do dependabot builds also trigger netlify builds?

[ylemkimon]

@kevinbarabash Yes, they do. I was thinking of a way to disable them.

[kevinbarabash]

In different project I tried using https://docs.netlify.com/configure-builds/file-based-configuration/#ignore-builds and checking the author of the commits. It kind of worked, but whenever I updated a PR before merging it would run a netlify build because the author of the merge commit was me. 😞