Özkan Pakdil5d ago

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

Millions of JS devs just got penetrated by a RAT…

YouTube
Pelle Wessman5d ago
For dev tools and other projects where Denial of Service is not a concerning vulnerability its a wise idea to filter those out so that the noise of DoS vulnerabilities doesn't drown out the rest. Here's a filter for GitHub's #Dependabot alerts: gist.github.com/voxpelli/d68...
This filter documents the specific CWE family of resource exhaustion, uncontrolled iteration/recursion, and algorithmic-complexity weaknesses that are most likely to show up as dependency-driven denial-of-service risks

This filter documents the specific CWE family of resource exhaustion, uncontrolled iteration/recursion, and algorithmic-complexity weaknesses that are most likely to show up as dependency-driven de...

Gist
jbzFeb 25

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

「 He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. 」

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

Go library maintainer brands GitHub's Dependabot a 'noise machine'

: When a one-line fix triggers thousands of PRs, something's off

The Register
CyberVeille.chFeb 22
📢 Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités pertinentes
📝 Source: billet de blog de Filippo Valsorda (filippo.io), publié le 20 février 2026.
📖 cyberveille : https://cyberveille.ch/posts/2026-02-22-filippo-valsorda-appelle-a-desactiver-dependabot-au-profit-de-govulncheck-pour-des-alertes-vulnerabilites-pertinentes/
🌐 source : https://words.filippo.io/dependabot/
#CVE_2026_26958 #Dependabot #Cyberveille
Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités pertinentes

Source: billet de blog de Filippo Valsorda (filippo.io), publié le 20 février 2026. Contexte: retour d’expérience sur la gestion des vulnérabilités et des mises à jour de dépendances dans l’écosystème Go, avec un cas concret lié à un correctif cryptographique. — • L’auteur affirme que Dependabot génère une forte charge d’alertes inutiles (faux positifs, scores CVSS fantaisistes, « compatibilité » alarmiste), en particulier pour Go. Exemple à l’appui: après un correctif de sécurité publié pour filippo.io/edwards25519 (méthode Point.MultiScalarMult), Dependabot a ouvert des milliers de PRs vers des dépôts non affectés, y compris un faux avertissement pour le dépôt Wycheproof qui n’importait que le sous-paquet non concerné (filippo.io/edwards25519/field).

CyberVeille
codeDude  Feb 20

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

Hacker NewsFeb 20

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Toby ScottFeb 19

Wow, found a great use case for GitHub Copilot. It can help Dependabot finish update bumps that require code changes!

#github #copilot #dependabot #update #upgrade #ai #migration #pullrequest #automation #developer #code #agents

André PolykanineFeb 17
#Dependabot on #GitHub is a great thing. Also, required checks and branch protection is great.
Martin TodorovFeb 1

If you've ever wondered how to automate the upgrading of your JDK in Docker images, you might want to checkout my latest article.

https://medium.com/devops-by-nature/how-to-configure-dependabot-to-automatically-upgrade-openjdk-in-docker-images-7738109e9506?sk=7dd594717fcf7f815791cc7db26e72d0

#build
#cicd
#dependabot
#devops
#devsecops
#git
#github
#jdk #java #openjdk #temurin #eclipse
#scm #vcs #versioncontrol
#devlearning #softwaredevelopment #softwareengineering

How To Configure Dependabot To Automatically Upgrade OpenJDK In Docker Images

A common issue you may want to automate as part of your CI/CD pipelines is the upgrading of your JDK in Docker images. Similar to how you…

Medium
Reddit Tech VN BotJan 29

Một plugin Prettier mới giúp tự động hóa việc giữ Dependabot config nhất quán trên đa repo GitHub. Được phát triển mở nguồn, công cụ này hỗ trợ lập trình viên tối ưu cấu hình và nâng cao hiệu suất DevOps. #mởnguồn #GitHub #Dependabot #DevTools #phầnMềmPhátTriển

https://www.reddit.com/r/opensource/comments/1qqm48a/i_wrote_this_prettier_plugin_to_keep_my/