chore: Update CONTRIBUTING.md with dependency update policy (#2946)

Added guidelines for handling dependency updates.

---------

Signed-off-by: ldetmer <[email protected]>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: ldetmer

CONTRIBUTING.md

@@ -423,3 +423,10 @@ tools or services (e.g., docker, protoc, etc.) should be skipped when those
 tools are not available in the development environment. See
 [doc/onboarding.md](https://github.com/googleapis/librarian/blob/main/doc/onboarding.md)
 for information on how to configure your development environment.
+
+### Handling Dependency Updates
+
+We only update dependencies for security vulnerabilities, bug fixes, or to add
+feature support. Security vulnerabilities are identified using Dependabot and 
+govulncheck. Dependency updates for bug fixes or new features must be associated 
+with an issue in this repository.