see for details : https://dependabot.com/docs/config-file/#allowed_updates
## Why make the change?
@dependabot makes PRs for upgrading dependencies, but it doesn't automatically call `make vendor`, which is a problem because that means any merge for a @dependabot PR will require manual intervention.
I've looked through the @dependabot PR history and there has never been a successfully merged PR. [See here](https://github.com/status-im/status-go/pulls?q=is%3Apr+author%3Aapp%2Fdependabot-preview+is%3Aclosed)
If we are going to use this service we should only be warned of security updates, until we can implement a `make-vendor-bot` to automatically update the vendored files.
## What has changed?
Changed @dependabot settings to only make a PR for security updates.
Samuel Hawksby-Robinson
Pedro Pombeiro