Steel for Vulnerabilities, Silver for Zombies: Hunting Java's Unseen Monsters

https://video.ut0pia.org/w/stJbfBB5MiqPAMKTW1AkEx

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

Good   

#opensource #pullrequest #GitHub #Dependabot

Claude를 활용한 Dependabot PR 리뷰 자동화: 지루한 의존성 관리 해결하기

Dependabot이 생성하는 수많은 PR을 일일이 검토하는 번거로움을 해결하기 위해 Claude의 'skill' 기능을 활용한 자동 리뷰 도구를 개발했다.

🔗 원문 보기

Mantener dependencias actualizadas con Claude

Cómo mantener tus dependencias de código actualizadas automáticamente usando Claude, npm y Dependabot sin alucinaciones de versiones. Workflow práctico ...

https://blog.donweb.com/mantener-codigo-actualizado-automatico-claude/

#dependenciasnpm #claudecode #dependabot #automatización #deudatécnica

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Dependabot-Core: 자동 의존성 업데이트를 위한 핵심 라이브러리 분석

Dependabot-Core는 GitHub의 자동 의존성 업데이트 기능을 구동하는 핵심 Ruby 라이브러리로, 다양한 언어와 패키지 매니저의 업데이트 로직을 포함한다.

🔗 원문 보기

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios