The contents of this blog post have proven very useful today. The actions/checkout version was updated recently, and I've received a large number of PRs from Dependabot that just needed to be accepted.

#github #githubactions #dependabot

https://dev.to/davorg/dependabot-and-github-actions-3lai

Just noticed that #dependabot can update #githubactions versions. A needed feature indeed, so far I have been manually monitoring the repository tags for updates

https://github.blog/changelog/2023-03-13-dependabot-updates-support-reusable-workflows-for-github-actions/

Anyone interessted in #dependabot supporting vendoring for #php dependencies?

it means dependabot would commit the vendor/ dir and not just updates composer.lock/json. its really usefull for e.g. app repositories.

if so, please vote

https://github.com/dependabot/dependabot-core/issues/386

A faster way to manage version updates with #Dependabot #github https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/

A faster way to manage version updates with Dependabot

Check it out! 👇
https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/

#SupplyChainSecurity #Dependabot #Security #Product

Any #saucelabs #github #dependabot users know how to give dependabot access to secret keys so sauce labs tests will run?

#foss

1st of the month is #github #dependabot day in many repos.

That means hundreds of notification mails from github and merging orgy.

@khmarbaise and use #dependabot and @snyk they will keep you upto date enough

sbt-dependency-submission is a nifty GitHub Action to report dependencies at build time for vulnerability scanning. It even sees your transitive dependencies. But it can be hard to debug why a dependency was submitted.

In ~/.sbt/1.0/sbt-dependency-submission.sbt:

```
addSbtPlugin("ch.epfl.scala" % "sbt-github-dependency-submission" % "2.1.2")`
```

Now you can run `show githubDependencyManifest` to debug!

#Scala #Dependabot

Yesterday 🗓️ I made a prototype ⚙️ to improve #GitHub :github: #Dependabot when using #GoLang.

👉 If you’d like to try it out, and promise 🙏 to give feedback 🗣️, I can give a few people access to a private 🔒 repo before I open source 🤗something - just drop me your GitHub handle please.

Read on 👀 for how it works 👇

#SCA #AppSec #SupplyChainSecurity #DependencySubmission #AST #AbstractSyntaxTree #GitHubAdvisoryDatabase #VulnerabilityManagement

What do you use to track dependency updates?
#node #dependencies #dependabot #renovate

Dependabot relieves alert fatigue from npm devDependencies

Check it out! 👇
https://github.blog/2023-05-02-dependabot-relieves-alert-fatigue-from-npm-devdependencies/

#SupplyChainSecurity #Npm #Dependabot #Security #Product #OpenSource

Going through all my #Dependabot notifications 🤓

#GitHub #developer #NodeJS #PHP #Laravel #dependencies #code

Anyone else getting swarms of email notifications today that Dependabot was enabled on their GitHub repositories?

#github #dependabot

Dependabot finds things we don't, but vulnerability fatigue is real. We have a telemetry client that uses OkHttp. We don't write Kotlin, we don't use our telemetry client in a way that invokes Kotlin, and our client probably doesn't use the vulnerable parts of Kotlin. But every Scala repo will be pinged about every Kotlin stdlib vulnerability because it's dormant on the classpath.

#Security #Dependabot

@bodsch@mastodon.socia l Hopefully you don't want to tell me that your chosen language Python is hassle-free :mastorofl: The "best" language doesn't help if the developer can't handle it properly.

Anyway, I guess I won't convince you, but I'm very grateful to have a full #opensource alternative to #dependabot and #renovatebot does a solid job here.

Here's a neat little tip on how you can use #GitHub's new "merge queue" feature to ease the pain with #Dependabot churn:

https://fredrikaverpil.github.io/blog/2023/03/29/using-github-merge-queue-to-ease-the-dependabot-churn/

dependabot and stalebot do more harm than good.

Change my mind.

#dependabot #stalebot #opensource #softwaredevelopment #packaging #developerexperience #lamehashtags

Does #Dependabot no longer automatically rebase PRs? #GitHub

Did you know bots can automatically create pull requests to keep dependencies secure and up to date? @maritvandijk compares and contrasts #Renovate, #Dependabot, and #Snyk on Foojay :foojay: Today!

https://foojay.io/today/using-bots-to-keep-dependencies-updated

#foojaytip #java #kotlin