Add extra notes that detail how we use Dependabot

source/standards/tracking-dependencies.html.md.erb

@@ -20,13 +20,18 @@ Update your dependencies frequently rather than in ‘big bang’ batches. This
 
 There are tools which scan GitHub repositories and raise PRs when they find dependency updates. Teams at GDS are using:
 
-* [Dependabot][] - used by GOV.UK, GOV.UK Pay and GovWifi. The GOV.UK team manual contains [guidance on using Dependabot][] and [how the PRs raised should be reviewed][]
+* [Dependabot][] - used by GOV.UK, GOV.UK Pay, GovWifi and Digital Marketplace. The GOV.UK docs contain [guidance on using Dependabot][] and [how the PRs raised should be reviewed][]
+    > Note: this is separate from the [security-only updates provided automatically by GitHub Dependabot].
+
+    > Note: repos requiring at least one approving review for PRs cannot, and should not, use [Dependabot's auto-approve-and-merge facility].
+
+    > Note: we have not enabled "Treat PR approval as a request to merge", as this would lead to a surprising behaviour at the point of approval.
+
 * [PyUp][] - a Python dependency checker. Used by Digital Marketplace and GOV.UK Notify, PyUp will monitor for updates and vulnerabilities
 * [Greenkeeper][] - an npm dependency checker used by the GOV.UK Verify team on the [Node.js client for the Verify Service Provider][]
 
 All the above tools are free to use on public repositories.
 
-GitHub has turned on Dependabot for all repositories which are active, public and have not been forked.
 
 The Cyber Security team will review the repositories that do not have dependency management in use and will turn on Dependabot where required. Service teams are free to use a different tool such as [Snyk](https://snyk.io/), but will need to add a `no-dependabot` tag to their repository for monitoring purposes. You can [contact Cyber Security](https://gds.slack.com/archives/CCMPJKFDK) if you have any questions or need help.
 
@@ -70,6 +75,8 @@ Also consider managed solutions where possible. For example:
 
 This guidance is in line with the GDS Reliability Engineering strategic principle of [use fully managed cloud services by default][].
 
+[Dependabot's auto-approve-and-merge facility]: https://dependabot.com/blog/automatic-pull-request-merging/
+[security-only updates provided automatically by GitHub Dependabot]: https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#alerts-and-automated-security-updates-for-vulnerable-dependencies
 [GDS supported programming languages]: /standards/programming-languages.html#content
 [managing software dependencies in the Service Manual]: https://www.gov.uk/service-manual/technology/managing-software-dependencies
 [programming language style guides]: /manuals/programming-languages.html