dependabot: update lockfile only (#959)

Author: conradoplg

.github/dependabot.yml

@@ -8,6 +8,9 @@ updates:
   open-pull-requests-limit: 10
 - package-ecosystem: cargo
   directory: "/"
+  # Update only the lockfile. We shouldn't update Cargo.toml unless it's for
+  # a security issue, or if we need a new feature of the dependency.
+  versioning-strategy: lockfile-only
   schedule:
     interval: monthly
     timezone: America/New_York