Dependabot maintenance 'campsite rule'

[blackfalcon]

Using this pre-filtered link, the Auro team needs to find a cadence in which we will address dependabot updates.

https://github.com/orgs/AlaskaAirlines/security/alerts/dependabot?page=1&q=is%3Aopen+team%3Aauro-team+sort%3Anewest+-repo%3AAuroDocsSite%2CAuroAngularDemo%2CAuroVueDemo%2CAuroReactDemo%2CAuroSvelteDemo%2CAuroJavascriptDemo%2CAuroCore-swatch%2Cauro-tokenlist

Aside from merging in these pull requests, following the campsite rule, it is expected that with every pull request in a repo that there is also a commit that updates as many dependencies as possible without incurring a refactor of code. Also, if an updated dependency requires updating code, please make sure to create an issue that describes the work discovered to be addressed at a later time.

Proposed support cadence

1. With each dev-created PR, there should be a dependency update commit
2. Only addressing PATCH and MINOR updates is appropriate.
   • MAJOR updates may require code changes and are not considered a MUST when performing these updates.
   • When MAJOR updates are discovered that require code changes, it's recommended to start a Discussion with the proposed code changes to communicate this to the team. See example.
3. When there are multiple dependabot PRs open for a repo, consider merging in these branches prior to performing a manual update of dependencies on the repo

An issue comes in with repos that are not touched often. I propose the following.

When a developer completes new work, before picking up new work they should;

1. Look for PRs to support
   • ensure that the PR has updated dependencies and incorporated dependabot updates
2. Review this page and provide updated support for at least one repo in the list