jbzFeb 25

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

「 He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. 」

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

Go library maintainer brands GitHub's Dependabot a 'noise machine'

: When a one-line fix triggers thousands of PRs, something's off

The Register
CyberVeille.chFeb 22
📢 Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités pertinentes
📝 Source: billet de blog de Filippo Valsorda (filippo.io), publié le 20 février 2026.
📖 cyberveille : https://cyberveille.ch/posts/2026-02-22-filippo-valsorda-appelle-a-desactiver-dependabot-au-profit-de-govulncheck-pour-des-alertes-vulnerabilites-pertinentes/
🌐 source : https://words.filippo.io/dependabot/
#CVE_2026_26958 #Dependabot #Cyberveille
Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités pertinentes

Source: billet de blog de Filippo Valsorda (filippo.io), publié le 20 février 2026. Contexte: retour d’expérience sur la gestion des vulnérabilités et des mises à jour de dépendances dans l’écosystème Go, avec un cas concret lié à un correctif cryptographique. — • L’auteur affirme que Dependabot génère une forte charge d’alertes inutiles (faux positifs, scores CVSS fantaisistes, « compatibilité » alarmiste), en particulier pour Go. Exemple à l’appui: après un correctif de sécurité publié pour filippo.io/edwards25519 (méthode Point.MultiScalarMult), Dependabot a ouvert des milliers de PRs vers des dépôts non affectés, y compris un faux avertissement pour le dépôt Wycheproof qui n’importait que le sous-paquet non concerné (filippo.io/edwards25519/field).

CyberVeille
codeDude  Feb 20

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

Hacker NewsFeb 20

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Toby ScottFeb 19

Wow, found a great use case for GitHub Copilot. It can help Dependabot finish update bumps that require code changes!

#github #copilot #dependabot #update #upgrade #ai #migration #pullrequest #automation #developer #code #agents

André PolykanineFeb 17
#Dependabot on #GitHub is a great thing. Also, required checks and branch protection is great.
Martin TodorovFeb 1

If you've ever wondered how to automate the upgrading of your JDK in Docker images, you might want to checkout my latest article.

https://medium.com/devops-by-nature/how-to-configure-dependabot-to-automatically-upgrade-openjdk-in-docker-images-7738109e9506?sk=7dd594717fcf7f815791cc7db26e72d0

#build
#cicd
#dependabot
#devops
#devsecops
#git
#github
#jdk #java #openjdk #temurin #eclipse
#scm #vcs #versioncontrol
#devlearning #softwaredevelopment #softwareengineering

How To Configure Dependabot To Automatically Upgrade OpenJDK In Docker Images

A common issue you may want to automate as part of your CI/CD pipelines is the upgrading of your JDK in Docker images. Similar to how you…

Medium
Reddit Tech VN BotJan 29

Một plugin Prettier mới giúp tự động hóa việc giữ Dependabot config nhất quán trên đa repo GitHub. Được phát triển mở nguồn, công cụ này hỗ trợ lập trình viên tối ưu cấu hình và nâng cao hiệu suất DevOps. #mởnguồn #GitHub #Dependabot #DevTools #phầnMềmPhátTriển

https://www.reddit.com/r/opensource/comments/1qqm48a/i_wrote_this_prettier_plugin_to_keep_my/

Martin TodorovJan 15

If you'd like to find out how to set up GitHub Code Quality, you can check out my latest article on Medium.

https://medium.com/devops-by-nature/how-to-set-up-github-code-quality-e6f808fa9e33?sk=299e926ce375295d135d9fa24215ff3a

#cicd
#codequality
#devops
#devsecops
#git
#github
#ghas
#codeql
#dependabot
#scm #vcs #versioncontrol
#sast
#devlearning #softwaredevelopment #softwareengineering

Martin TodorovJan 14

What if code quality wasn’t a tool you configured or had to maintain yourselves, but something GitHub just did for your repositories?

Read my latest article to find out all about this new feature and see how it can simplify the way you handle code quality scans.

https://medium.com/devops-by-nature/what-is-github-code-quality-bcb74890ef9e?sk=990e0cded0528ebd20b71629f67d5426

#cicd #codequality #devops #devsecops #git #github #ghas #codeql #dependabot #scm #vcs #versioncontrol #opensource #devlearning #softwaredevelopment #softwareengineering