Renovate lockfile maintenance

Renovate doesn't seem to update transitive dependencies unless a direct dependency is updated. This means some transitive dependencies with vulnerabilities could go a while before being updated.

https://docs.renovatebot.com/configuration-options/#lockfilemaintenance