Enable dependabot automatic fixing of dependencies for improved security

[jamesobutler]

Enable dependabot in the security section of this repo. https://github.com/Project-MONAI/MONAILabel/settings/security_analysis
cc: @SachidanandAlle

With these settings turned on (see image below) you will see dependabot alerts such as:

• https://github.com/jamesobutler/MONAILabel/security/dependabot/3 which details a security issue with the current version requests being used by monailabel.
• https://github.com/jamesobutler/MONAILabel/security/dependabot/4
• https://github.com/jamesobutler/MONAILabel/security/dependabot/2
• https://github.com/jamesobutler/MONAILabel/security/dependabot/1

With the setting to enabled to allow dependabot to automatically open PRs, you will observe that it will open a PR such as:

• Bump requests from 2.31.0 to 2.32.2 jamesobutler/MONAILabel#1.
• Bump urllib3 from 2.2.1 to 2.2.2 jamesobutler/MONAILabel#2

[jamesobutler]

@SachidanandAlle Does this sound reasonable to improve the security for MonaiLabel? This usage of dependabot uses automation to reduce the amount of human interaction required to stay on top of updates.

[SachidanandAlle]

yes. makes sense :)

[SachidanandAlle]

one issue that needs to be fixed/resolved once we enable the dependency bot- keep both requirements.txt and setup.py in sync.

may be there is way to fix this dedup problem.

[jamesobutler]

Based on https://packaging.python.org/en/latest/discussions/install-requires-vs-requirements/ it appears that requirements.txt and install_requires of setup.cfg serve different purposes. The setup.cfg should contain the minimal set of requirements (non hard-pinned) while requirements.txt can contain pinned dependencies for repeatable installations. So the need for them to be the exact same appears to be unnecessary based on the python organization's guidance.