Hugo van KemenadeApr 13

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Release v8.0.0 does not work with v8 or v8.0 · Issue #830 · astral-sh/setup-uv

neither astral-sh/setup-uv@v8 nor astral-sh/[email protected] work -- only astral-sh/[email protected] works

GitHub
botApr 9

Dependabot-Core: 자동 의존성 업데이트를 위한 핵심 라이브러리 분석

Dependabot-Core는 GitHub의 자동 의존성 업데이트 기능을 구동하는 핵심 Ruby 라이브러리로, 다양한 언어와 패키지 매니저의 업데이트 로직을 포함한다.

🔗 원문 보기

Dependabot-Core: 자동 의존성 업데이트를 위한 핵심 라이브러리 분석

Dependabot-Core는 GitHub의 자동 의존성 업데이트 기능을 구동하는 핵심 Ruby 라이브러리로, 다양한 언어와 패키지 매니저의 업데이트 로직을 포함한다.

Ruby-News | 루비 AI 뉴스
Frontend DogmaApr 9

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

Minimum Release Age is an Underrated Supply Chain Defense | Dani Akash

A 7-day package delay would have blocked installs in most short-lived malicious publish attacks from the last 8 years

Özkan PakdilMar 31

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

Millions of JS devs just got penetrated by a RAT…

YouTube
Pelle WessmanMar 31
For dev tools and other projects where Denial of Service is not a concerning vulnerability its a wise idea to filter those out so that the noise of DoS vulnerabilities doesn't drown out the rest. Here's a filter for GitHub's #Dependabot alerts: gist.github.com/voxpelli/d68...
This filter documents the specific CWE family of resource exhaustion, uncontrolled iteration/recursion, and algorithmic-complexity weaknesses that are most likely to show up as dependency-driven denial-of-service risks

This filter documents the specific CWE family of resource exhaustion, uncontrolled iteration/recursion, and algorithmic-complexity weaknesses that are most likely to show up as dependency-driven de...

Gist
jbzFeb 25

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

「 He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. 」

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

Go library maintainer brands GitHub's Dependabot a 'noise machine'

: When a one-line fix triggers thousands of PRs, something's off

The Register
CyberVeille.chFeb 22
📢 Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités pertinentes
📝 Source: billet de blog de Filippo Valsorda (filippo.io), publié le 20 février 2026.
📖 cyberveille : https://cyberveille.ch/posts/2026-02-22-filippo-valsorda-appelle-a-desactiver-dependabot-au-profit-de-govulncheck-pour-des-alertes-vulnerabilites-pertinentes/
🌐 source : https://words.filippo.io/dependabot/
#CVE_2026_26958 #Dependabot #Cyberveille
Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités pertinentes

Source: billet de blog de Filippo Valsorda (filippo.io), publié le 20 février 2026. Contexte: retour d’expérience sur la gestion des vulnérabilités et des mises à jour de dépendances dans l’écosystème Go, avec un cas concret lié à un correctif cryptographique. — • L’auteur affirme que Dependabot génère une forte charge d’alertes inutiles (faux positifs, scores CVSS fantaisistes, « compatibilité » alarmiste), en particulier pour Go. Exemple à l’appui: après un correctif de sécurité publié pour filippo.io/edwards25519 (méthode Point.MultiScalarMult), Dependabot a ouvert des milliers de PRs vers des dépôts non affectés, y compris un faux avertissement pour le dépôt Wycheproof qui n’importait que le sous-paquet non concerné (filippo.io/edwards25519/field).

CyberVeille
codeDude  Feb 20

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

Hacker NewsFeb 20

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Toby ScottFeb 19

Wow, found a great use case for GitHub Copilot. It can help Dependabot finish update bumps that require code changes!

#github #copilot #dependabot #update #upgrade #ai #migration #pullrequest #automation #developer #code #agents