Make managing dependabot updates less time consuming

[llucax]

What's needed?

Even with monthly updates, we still feel like we get too many updates too often. We need a way to spend less time doing updates that bring very little value.

Proposed solution

A few steps that might help in this regard:

• Do updates less often, quarterly, bi-yearly or even yearly. We have to keep a reasonably balance to make sure we don't end up using unmaintained dependencies for too long, risking security issues. Now we can use crontab-style scheduling.
  Related:
  • Remove day option in dependabot scheduling #449
• Have upgrades be triggered in a "canary project" first, so we can identify which need manual intervention and invest some time first on figuring out how to fix it, before spamming all other projects.
• Better differentiate between important and not so important updates.
• Auto-merge dependabot updates passing tests #287
• Add dependabot cooldown settings

[llucax]

There is a new cooldown feature in dependabot that sounds like it could reduce some noise:

• https://github.blog/changelog/2025-07-01-dependabot-supports-configuration-of-a-minimum-package-age/