doc: add additional guidance for PRs to deps

- add additional guidance based in discussion related
  to recent PR to dependency and discussion within the
  security-wg slack channel.

Refs: nodejs/security-wg#1329

Signed-off-by: Michael Dawson <[email protected]>

Author: mhdawson

doc/contributing/maintaining/maintaining-dependencies.md

@@ -144,6 +144,11 @@ the corresponding script in `tools/update-deps`.
 [npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml)
 takes care of npm update, it is maintained by the npm team.
 
+PRs for manual dependency updates should only be accepted if
+the update cannot be generated by the automated tooling,
+the reason is clearly documented and either the PR is
+reviewed in detail or it is from an existing collaborator.
+
 ## Dependency list
 
 ### acorn

doc/contributing/pull-requests.md

@@ -525,6 +525,15 @@ to fail on specific platforms or for so-called "flaky" tests to fail ("be red").
 It is vital to visually inspect the results of all failed ("red") tests to
 determine whether the failure was caused by the changes in the pull request.
 
+
+### Dependencies
+
+Ideally pull requests for dependencies should be generated by automation.
+Pay special attention to pull requests for dependencies which have not
+been automatically generated and follow the guidance in
+[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies).
+
+
 ## Notes
 
 ### Commit squashing