chore: bump dependabot PR limit for cargo from 5 to 15

[Jefffrey]

Which issue does this PR close?

• N/A

Rationale for this change

Occasionally we do PRs to bump a bunch of versions in Cargo.lock, recent example:

• Update dependencies #19667

Ideally this should be handled by dependabot already. I suspect the default limit of 5 is preventing dependabot from creating all the PRs it needs; this causes it to error and those version bumps are "lost".

• I say "lost" but dependabot can pick it up on the next run... if it doesn't error again

See an example from a dependabot run:

From the logs:

 +-------------------------------------------------------+
|          Changes to Dependabot Pull Requests          |
+---------+---------------------------------------------+
| created | insta ( from 1.45.0 to 1.46.0 )             |
| created | tracing ( from 0.1.43 to 0.1.44 )           |
| created | syn ( from 2.0.111 to 2.0.113 )             |
| created | async-compression ( from 0.4.35 to 0.4.36 ) |
| created | object_store ( from 0.12.4 to 0.13.0 )      |
| created | serde_json ( from 1.0.145 to 1.0.148 )      |
| created | bigdecimal ( from 0.4.9 to 0.4.10 )         |
| created | clap ( from 4.5.53 to 4.5.54 )              |
| created | libc ( from 0.2.177 to 0.2.179 )            |
| created | tokio ( from 1.48.0 to 1.49.0 )             |
| created | tokio-util ( from 0.7.17 to 0.7.18 )        |
| created | sqllogictest ( from 0.28.4 to 0.29.0 )      |
+---------+---------------------------------------------+

We expect to have all these PRs created (this was for the run 5 days ago), but only these were created on that day:

• chore(deps): bump syn from 2.0.111 to 2.0.113 #19645
• chore(deps): bump tracing from 0.1.43 to 0.1.44 #19644
• chore(deps): bump insta from 1.45.0 to 1.46.0 #19643

And considering these PRs were still open at the time:

• chore(deps): bump sqlparser from 0.59.0 to 0.60.0 #19544
• chore(deps): bump the proto group with 3 updates #19325

We can see it hit the 5 limit.

Dependabot default behavior:

• If five pull requests with version updates are open, no further pull requests are raised until some of those open requests are merged or closed.
• Security updates have a separate, internal limit of ten open pull requests which cannot be changed.

• https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#open-pull-requests-limit-

What changes are included in this PR?

Bump the limit to 15. We might have an appetite for increasing it more, 15 was chosen arbitrarily.

Are these changes tested?

Dependabot only.

Are there any user-facing changes?

No.

[Jefffrey]

(note to self)

Saw these too in log:

 Dependabot encountered '2' error(s) during execution, please check the logs for more details.
+---------------------------------------------+
|        Dependencies failed to update        |
+-------------+---------------+---------------+
| Dependency  | Error Type    | Error Details |
+-------------+---------------+---------------+
| parking_lot | unknown_error | null          |
| tempfile    | unknown_error | null          |
+-------------+---------------+---------------+

Look into this

[comphead]

Thanks @Jefffrey

I would also check https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups-- to group minor updates into a single PR, excluding major things, like parser, arrow, object_store, parquet

I create a followup on this to prevent creating too many PRs.

[Jefffrey]

Thanks @comphead

I'll merge this in so it takes effect in the next weekly run tomorrow

I would also check https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups-- to group minor updates into a single PR, excluding major things, like parser, arrow, object_store, parquet

I create a followup on this to prevent creating too many PRs.

This sounds good as a followup 👍