Dependabot: trust individual external code registries

[TALlama]

The insecure-external-code-execution setting in the Dependabot docs lets the update checker trust external code registries.

But it's an all-or-nothing switch right now: if we allow it, we are implicitly trusting all registries that might get added in the future. Currently you make that decision once, based on the registries you have now, and never have to worry about it again.

We would prefer it if each registry could be trusted individually. When we add a new registry, we'd see the trust assertion in the PR and have to think about if we actually do trust it. We'd be regularly reminded that this part of our supply chain is potentially exploitable.

[bogn83]

We'd be regularly reminded that this part of our supply chain is potentially exploitable.
Totally agreeing that this would be a huge benefit and a much needed security improvement.