chore(dependabot): raise npm PR limit to 5 to match 4 monitored dirs

[jhfnetboy]

Summary

• PR chore(deps): scope Dependabot to root + packages/*, exclude vendored submodules #89 (+ follow-up aa20272) expanded the npm directories list to 4 paths: /, /packages/*, /subgraph, /script/gasless-tests.
• open-pull-requests-limit was kept at 1, but this limit is shared across the whole ecosystem, not per-directory. So one stuck PR in any one path blocks updates for the other three.
• Bump npm limit 1 → 5: one slot per monitored directory + 1 buffer for cross-week stragglers.
• github-actions block is unchanged (it still monitors only /, so 1 is correct).

Why 5 (most conservative non-blocking value)

Ecosystem	Directories	Worst-case grouped PRs/week	New limit
npm	4	4	5 (4 + 1 buffer)
github-actions	1	1	1 (unchanged)

5 is the smallest value that:

1. Cannot deadlock when every directory has an open PR;
2. Tolerates one previous-week PR lingering when the next weekly run fires.

Test plan

• Config parses (Dependabot reports via Insights → Dependency graph).
• Next weekly run can open multiple PRs in different directories simultaneously when warranted.
• No PR flood beyond 5 concurrent grouped PRs in npm ecosystem.

[fanhousanbu]

代码审查

通过，可直接合并

LOW — 注释中的目录数量表述
注释写 "4 directories" 但 directories 列表中还包含多个 ! 排除项（!/singleton-paymaster/** 等）。排除项不构成监控目录，注释意图清晰，但措辞略有歧义，可酌情修正。