For dev tools and other projects where Denial of Service is not a concerning vulnerability its a wise idea to filter those out so that the noise of DoS vulnerabilities doesn't drown out the rest.
Here's a filter for GitHub's #Dependabot alerts: gist.github.com/voxpelli/d68...
@github.com all dependabot PRs since yesterday are stuck waiting for approval to run workflow.
If that change is intentional, there has to be a way to create an exception for @dependabot.bsky.social
Don’t let your supply chain be a black box. 📦
#Gradle + #GitHub = Automated dependency tracking and faster vulnerability response.
Secure your builds today. 🛡️⚡️
blog.gradle.org/avoid-supply-chain-disas...
#Dependabot
Manual audits can't keep up with dynamic Gradle builds. ⚙️
Automate your security with GitHub’s Dependency Graph & Gradle Build Scan. Trace every CVE to its source. 🔍
blog.gradle.org/avoid-supply-chain-disas...
#Gradle #GitHub #Dependabot #CVE
Declared dependencies are just the tip of the iceberg. 🧊
Use the #Gradle + #Github integration to surface hidden transitive vulnerabilities and automate your response. 🛡️
Read more: blog.gradle.org/avoid-supply-chain-disas...
#Dependabot
⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'
#Dependabot #vulnerability #github #opensource #cybersecurity
If you've ever wondered how to automate the upgrading of your JDK in Docker images, you might want to checkout my latest article.
medium.com/devops-by-na...
#build
#cicd
#dependabot
#devops
#devsecops
#git
#github
#jdk #java #openjdk #temurin #eclipse
#softwaredevelopment #softwareengineering
If you'd like to find out how to set up GitHub Code Quality, you can check out my latest article on Medium.
#cicd
#codequality
#devops
#devsecops
#git
#github
#ghas
#codeql
#dependabot
#scm #vcs #versioncontrol
#sast
#devlearning #softwaredevelopment #softwareengineering
medium.com/devops-by-na...
#Dependabot alerted me to a high-severity defect in a transient dependency (the dependency is from Stripe!). The same day a user reported a defect in the system that's apparently been there for quite some time. Both are now fixed in production.
So that's how my #NYE is going.
If dependabot had been able to FF merge the changes that could be FF merged that would have cut down the number of dependabot commits by half.
And it would seriously reduced the visual clutter of main branch by more than the reduction of the number of commits.
#dependabot #gitCommitClutter […]
Just had to commit plenty of dependabot PRs (update of the checkout action).
Here are my scripts that made it a bit easier:
gist.github.com/floitsch/4d3...
#github #dependabot
Dependabot umí i tohle? To je cool. https://github.com/honzajavorek/p3news/pull/17/files
#dependabot #uv #buildsystem #requires #python
Looks like GitHub is tweaking Dependabot PR comment commands. Good to know ahead of Oct 2025 so I can update my muscle memory. Always a small re-learning curve with these changes! 😅 #Dependabot #GitHub
Check out out my latest article on how GitHub became the de facto standard platform for software development.
#cicd #devops #devsecops #git #github #ghas #codeql #dependabot #scm #vcs #versioncontrol #opensource #devlearning #softwaredevelopment #softwareengineering
medium.com/devops-by-na...
A screenshot of my notifications, all from GitHub's dependabot.
Not even my friends and family talk to me this much 😢 #GitHub #dependabot
For those who moved their projects from #GitHub to @Codeberg
What do you use instead of #dependabot?
If you are not selfhosting runners, what do you use?
#developer #codeberg #runners
IDK about you but I have to start paying more attention to changelogs. Also reducing dependencies by literally copying source code from small (open source) packages is a game changer. #npm #github #hacked #dependabot www.youtube.com/watch?v=jo4L...
Enable #Dependabot on each @GitHub 's #PHP project:
gist.github.com/Vitexus/436fdc710bb5c9c1...
#Security #Development
The new Dependabot NuGet updater: 65% faster with native .NET.
buff.ly/1zE8G6h
#nuget #dotnet #performance #dependabot
I so hope this fixes some of the recent bugs I've been seeing. It has looked from the outside like the #dependabot team was struggling.
Nice updates for how #dependabot uses #nuget with #dotnet
devblogs.microsoft.com/dotnet/the-new-dependabo...
The new Dependabot NuGet updater: 65% faster with native .NET Discover the new Dependabot NuGet updater that improves performance, accuracy, and developer experience by leveraging native .NET tooli...
#.NET #NuGet #Dependabot #msbuild #Package […]
[Original post on devblogs.microsoft.com]
Fnally, there is the option to run Github dependabot on a cron job base <3
(released in April, I haven't seen it before)
github.blog/changelog/2025-04-22-dep... […]
Does #Microsoft even care about #Dependabot at all any more? The #dotnet support has multiple open bugs causing valid configurations (that is, ones that worked at the beginning of the year) not to produce results, for months now. For a commercially supported product, that feels like a sad joke […]
Why isn't there a #docker compose #github action?
#github gives you `services`, but if you use them, you likely have a docker-compose.yml, and then you're duplicating your dependencies.
Plus, #dependabot doesn't know how to update `services` images, so your dependencies get stale.
holy shit dependabot can now run on depot runners 🤯
flip one setting and your dependency updates become near instant
you're welcome
docs in 🧵
#github #dependabot #cicd
1/5 Heya Fed, Hint of the day for the devs out there: I was heavily reliant on Dependabot to keep my project's software versions up to date (you are keeping your dependencies up to date, right?).
Some colleagues who are deeper into OSS told me to try Renovate, but I mostly dismissed it as just […]
1/5 Heya Fed, Hint of the day for the devs out there: I was heavily reliant on Dependabot to keep my project's software versions up to date (you are keeping your dependencies up to date, right?).
Some colleagues who are deeper into OSS told me to try Renovate, but I mostly dismissed it as just […]
