chore(deps): consolidate dependabot groups (#27)

Consolidates dependabot grouping into one version-update group and one
security-update group per ecosystem to stop package-lock.json merge
conflicts between open PRs.

Before: split production/dev groups created two PRs per run, each
touching the lockfile; scoped names like `@eslint/js` slipped between
the glob patterns.
After: one version-updates PR + one rolling security-updates PR per
ecosystem. `open-pull-requests-limit` lowered to 2. Uses `applies-to` so
advisories batch instead of opening individual PRs.

No runtime/build impact — Dependabot config only.

Author: jack-arturo

.github/dependabot.yml

@@ -4,24 +4,32 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 2
     groups:
-      production-dependencies:
+      pip-version-updates:
+        applies-to: version-updates
         patterns:
           - "*"
-        exclude-patterns:
-          - "pytest*"
-          - "ruff"
-      dev-dependencies:
+      pip-security-updates:
+        applies-to: security-updates
         patterns:
-          - "pytest*"
-          - "ruff"
+          - "*"
     commit-message:
       prefix: "chore(deps)"
-    open-pull-requests-limit: 10
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      actions-version-updates:
+        applies-to: version-updates
+        patterns:
+          - "*"
+      actions-security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
     commit-message:
       prefix: "chore(deps)"