🏗 Allow renovate to update AMP runtime dependencies

[rsimha]

We've been using tools like Greenkeeper, and now Renovate, to keep the devDependencies section of package.json up to date. However, we've preferred to manually upgrade the dependencies section due to the risk of a breaking change making it in to the AMP runtime.

As it turns out, there's just as much risk in having dependency versions go stale because no one has touched them in years. For example, #15728

This PR enables semi-automatic updates to the dependencies section of package.json. A new PR will be generated for each item on the list that gets an updated. It still falls on the AMP build cop to review the updates, make sure they are safe, and merge them manually.

Update: Per discussion below, we'll only receive updates for dompurify.

[rsimha]

/to @cramforce @choumx @erwinmombay

[dreamofabear]

What risk was involved in #15728? That particular change needed substantial oversight.

[rsimha]

@choumx The risk I was referring to was when a dependency becomes stale and ends up with a security vulnerability. I might be mistaken about #15728 being such a case. IIRC, we did have a few outdated packages with security vulnerabilities in the past (like #11303), that we had to upgrade.

Do you think it's worth getting an incoming PR when a dependency is updated? Or are we okay with the current status, where they remain static until someone manually checks to see if a new version exists?

[dreamofabear]

I think we should enable it for dompurify which does have security implications. Not sure about the others. Problems in dev-deps (#11303) are not as serious.

[rsimha]

@choumx Done. PTAL.