Filippo ValsordaFeb 20

Dependabot security alerts have terrible signal-to-noise ratio, especially for Go vulnerabilities. That hurts security!

Just turn it off and set up a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Less work, less risk, better results!

https://words.filippo.io/dependabot/?source=Mastodon

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Show threadJames O'GormanFeb 20
@filippo And they claimed they fixed it <.< https://github.blog/changelog/2025-12-09-dependabot-dgs-for-go/
Dependabot-based dependency graphs for Go - GitHub Changelog

Continuing the supply chain security theme of continually improving our package ecosystem support, Go projects will now see more complete and accurate transitive dependency trees in their dependency graphs and…

The GitHub Blog
Show threadFilippo Valsorda
@jamesog That post makes almost no sense to me. If they are talking about module deps, since Go 1.17 go.mod has all the dependencies, there is nothing dynamic about it. If they are talking about package deps, it's not working.
Feb 20 at 8:20pmWeb
Show threadJames O'GormanFeb 20
@filippo GitHub doing something that doesn't make sense? I'm shocked. SHOCKED.