proposal: reduce dependabot noise

[claytonrcarter]

Of the last 100 commits to master over 75 have been dependabot updates. While I like the atomic nature of these, this feels like a lot of history noise, and also merging all of the dependabot PRs is usually an easy but tedious task that gets in the way of other maintenance tasks and updates.

Proposal:

• reduce dependabot updates from weekly to monthly
• group most dependency updates into a single PR, instead of atomic updates of 1-dep-per-pr
• provide a way to keep "known troublesome" deps on a 1-dep-per-pr cadence
  • git2 and clap_mangen are treated this way because they both have pending PRs that are failing CI

My feeling is that this still gives us regular, reasonably frequent dep updates, while still reducing the amount noise and chores we have to deal with. It should still give us a reasonable target for bisecting any regressions, should any occur.

I have not yet tested this, and I'll need to do that before proceeding. In the meantime, I want to park this for discussion.

The docs for dependabot.yml are at https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference