It does seem as though dependabot can do npm and docker updates:

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates

Something like this looks like it should work:

version: 2
updates:
- package-ecosystem: github-actions
	directory: "/"
	schedule:
		interval: weekly
	open-pull-requests-limit: 5

- package-ecosystem: npm
	directory: "/test/"
	schedule:
		interval: daily
		time: "03:00"
	open-pull-requests-limit: 5
	groups:
		types:
  			patterns:
			- "@types*"
			update-types:
			- "minor"
			- "patch"
		wdio:
			patterns:
			- "@wdio*"
			- "wdio*"
			update-types:
			- "minor"
			- "patch"
		lint:
			patterns:
			- "eslint*"
			- "@*/eslint*"
			- "stylelint*"
			update-types:
			- "minor"
			- "patch"

If I understand correctly, that should check at 03:00 UTC daily for updates to all NPM packages. It'll group together @types, wdio, and lint updates when they're minor or patches, otherwise it'll submit a PR per package, up to 5. Docker config looks a little more involved.

Also, I just brought everything pretty up to date in the Typescript story, so this seems like a good time to do this.

Acceptance criteria:

• Dependabot runs regularly to check for updates in NPM packages and Docker, and opens PRs accordingly.
• Per documentation, there's some configuration in Dockerfiles to be done; this must not interfere with the functionality of the Docker images.

Open questions:

• Should Dependabot be limited to a certain number of open PRs at a time, and if so approximately how many? Bear in mind it doesn't appear to have a universal limit, just per package-ecosystem.
• What should we do about breaking changes?
  • Perhaps bring it up at the soonest refinement or sprint planning to either assign someone to fix the breaking changes or update Dependabot to ignore major changes for that particular package.

Developer Discretion:

• Whether and how packages should be grouped, frequency and timing of checks.