chore: configure dependabot for monthly npm/composer update PRs

[dustin-jw]

Description

This sets up dependabot to create update PRs for npm/composer dependencies on a monthly schedule. To make the process of validating updates simple without risking unexpected breaking changes, the updates are grouped by minor/patch version vs. major version updates, by development vs. production dependencies, and by composer vs. npm dependencies.

Here's a PR for another project for adding a very similar config, and here's an example dependabot PR that updated all dev dependencies. The open question about this PR's config is whether Composer behaves the same way as npm.

Closes #92

To Validate

1. Make sure all PR Checks have passed
2. We can't validate what dependabot will do until this file is on main, but you can check the configuration options to make sure our usage is valid

[rise-erpelding]

This seems like it will probably work ok!