chore: improve dependabot config — ignore major bumps, group minor/patch

[goergenj]

Improve Dependabot Configuration

Prevents the PR pileup problem where 40+ major-bump PRs accumulate that always get closed manually.

Changes

1. Ignore major version bumps (ignore rules)

Every entry now has:

ignore:
  - dependency-name: "*"
    update-types: ["version-update:semver-major"]

This prevents PRs for: React 18→19, vite→8, ESLint→10, Tailwind→4, .NET 9→10, Spring Boot 3→4, Express 4→5, TypeScript 5→6, etc.

Major upgrades should be planned and executed as coordinated efforts, not individual dependabot PRs.

2. Group minor/patch updates (groups)

Every entry now has:

groups:
  npm-minor-patch:  # (or python-/nuget-/maven-minor-patch)
    update-types: ["minor", "patch"]

This consolidates all minor+patch bumps per directory into a single PR instead of one per dependency. Expected reduction: ~5-10x fewer PRs for the same coverage.

3. Standardized limits

All entries use open-pull-requests-limit: 5 (down from 10 on many entries).

Impact

• Before: 40+ open dependabot PRs, most of which are major bumps that get closed manually
• After: Only minor/patch PRs, grouped per directory — expect ~1 PR per directory per week at most
• Dependabot's built-in superseding behavior handles the rest (newer patch replaces older patch automatically)