Enable dependabot with grouping

[hairmare]

Currently dependabot has already opened several security related PRs in it's default config.

To make dependabot PRs easier to merge, we can configure it properly so it does more than just security pull-requests. We can also make it group related package groups.

Some idea for grouping would be

• group all package so there is always only one large nextjs PR ready for merging
• group nextjs, react, and nodejs into individual groups of related packages
• only group packages that get delivered from a monorepo by upstream

How to configure this depends on personal preference to some degree. If dependabot doesn't help keeping dependencies updated, then we should explore other options.