fix: restrict Dependabot pip updates to security-only

The Dependabot config added in #517 included weekly version-bump PRs for
all three pip packages. This would generate noisy PRs for routine dep
updates we don't need. Set open-pull-requests-limit: 0 on the pip
ecosystems so only CVE-triggered security updates open PRs.

GitHub Actions weekly bumps are kept as-is to keep SHA pins current.

Author: andreatgretel

.github/dependabot.yml

@@ -10,17 +10,20 @@ updates:
     directory: /packages/data-designer-config
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     commit-message:
       prefix: "chore"
   - package-ecosystem: pip
     directory: /packages/data-designer-engine
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     commit-message:
       prefix: "chore"
   - package-ecosystem: pip
     directory: /packages/data-designer
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     commit-message:
       prefix: "chore"