CI: Configure dependabot to update package.json

[tordans]

I was wondering why https://github.com/openstreetmap/id-tagging-schema/pull/1252/files only updates the package-lock.json and not the package.json.

I find it confusing if the one is different, because I consider the package-lock.json something that can be deleted and regenerated.

It looks like https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy is the config to change this.

This PR adds

increase-if-necessary | Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint.

which sounds like a good option.

I hope this will make it look more like https://github.com/openstreetmap/id-tagging-schema/pull/1250/files

But I have no experience with this kind of config, so a review is needed :).

[github-actions]

🍱 You can preview the tagging presets of this pull request here.

[tyrasd]

This is most likely because dependabot treats iD as an app and the tagging repo as a library:

Dependabot default behavior:

• Try to differentiate between app and library dependencies.
• For apps, always increase the minimum version requirement to match the new version. The increase strategy.
• For libraries, widen the allowed version requirements to include both the new and old versions, when possible. The widen strategy.

I think this is generally a sensible choice, because for libraries you want to be more lenient with the exact version that gets resolved in the final application that uses the library (as long as it fits the required minimum version or supported version range).

That said, since the tagging-schema only has devDependencies, this doesn't play a role here, really. So, I think we could set the versioning-strategy to increase or increase-if-necessary as proposed.

[tyrasd]

(Sorry, I had forgot to merge this after the review.)