Reduce Dependabot PR volume: trim catalog dep tree + automerge config

[drernie]

Context

The repo gets ~26 Dependabot PRs / 10 months, almost all targeting /catalog. These are GitHub-triggered security updates (advisory-driven), not version bumps — .github/dependabot.yml only configures github-actions weekly. Recurring offenders: axios, follow-redirects, dompurify, lodash, serialize-javascript, node-forge, webpack plugins, vega-*, qs/express, jsonpath, jws, on-headers/compression, tmp, vite, rollup, ajv, @graphql-codegen/*, bundlewatch, etc.

What won't move the needle

• Grouping in dependabot.yml alone — needs applies-to: security-updates and an explicit npm ecosystem entry. Modest reduction (~30%) since advisories arrive over time, not in batches.
• Renovate ↔ Dependabot split (Renovate for versions, Dependabot for security) — best-practice but doesn't reduce security PR count, just reorganizes.

What would help

A. Make PRs invisible (highest leverage, lowest effort)

• Enable auto-merge for patch/minor security PRs on green CI (Renovate automerge: true or GitHub native auto-merge + branch protection).
• Schedule Renovate to batch routine bumps weekly (schedule: [\"before 6am on monday\"]).

B. Trim the catalog dep tree (eliminates root cause for ~30–40% of historical PRs)

Quick wins (~2h):

• Drop bundlewatch — sole source of axios + follow-redirects. ~4 historical PRs.
• Delete monocle-ts, newtype-ts — zero imports.

Medium (4–6h each):

• Migrate aws-sdk v2 → v3 modular clients (only S3, Athena, Bedrock used). ~15 MB bundle + smaller CVE surface.
• Replace remarkable + highlight.js with prism-react-renderer (5 import sites; both have CVE history).

Lower priority:

• Replace narrow lodash usage with native equivalents (~16 sites).
• Migrate immutable@3.8.2 → frozen objects / RTK (~7 sites; v3 is ancient).
• Audit ramda usage (135+ sites — defer).

C. Load-bearing, not prunable

vega-*, webpack + plugins, @graphql-codegen/*, dompurify, jsdom. These will keep generating PRs; auto-merge is the only practical mitigation.

Suggested order

1. Enable auto-merge for patch/minor security on green CI (1 PR, biggest immediate relief).
2. Drop bundlewatch + unused FP packages (1 PR, kills 2 chronic offenders).
3. AWS SDK v3 migration (separate PR, real bundle win).
4. Markdown/highlighter swap (separate PR).

Expected outcome: ~half the historical PR volume eliminated, the remainder largely auto-merged.

[drernie]

Sub-issues filed

• Remove bundlewatch from /catalog devDeps #4870 — Drop `bundlewatch` (assigned @fiskus)
• Drop unused FP packages: monocle-ts, newtype-ts #4871 — Drop unused FP packages (`monocle-ts`, `newtype-ts`)
• Move aws-sdk to devDependencies (type-only usage) #4872 — Move `aws-sdk` to devDependencies (type-only usage — see correction below)
• Replace remarkable + highlight.js with prism-react-renderer #4873 — Replace `remarkable` + `highlight.js` with `prism-react-renderer`
• Replace narrow lodash usage with native equivalents #4874 — Replace narrow `lodash` usage with native equivalents
• Migrate immutable@3.8.2 → frozen objects / Redux Toolkit #4875 — Migrate `immutable@3.8.2` → frozen objects / RTK

Correction to original list

The "AWS SDK v2 → v3 migration" item turns out to be over-scoped: every `aws-sdk` import in the catalog is `import type`, so the package is not in the runtime bundle — it's only providing TypeScript types. See #4872 for the corrected scope (move to devDeps as the cheap first step; v3 type swap as an optional follow-up).

`ramda` (135+ sites) remains deferred per the original audit — too large to tackle without a dedicated effort, and `ramda` itself isn't a frequent CVE source.