Dan KortschakFeb 20
Filippo Valsorda

Dependabot security alerts have terrible signal-to-noise ratio, especially for Go vulnerabilities. That hurts security!

Just turn it off and set up a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Less work, less risk, better results!

https://words.filippo.io/dependabot/?source=Mastodon

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Feb 20 at 7:56pmWeb
Show threadJames O'GormanFeb 20
@filippo And they claimed they fixed it <.< https://github.blog/changelog/2025-12-09-dependabot-dgs-for-go/
Dependabot-based dependency graphs for Go - GitHub Changelog

Continuing the supply chain security theme of continually improving our package ecosystem support, Go projects will now see more complete and accurate transitive dependency trees in their dependency graphs and…

The GitHub Blog
Show threadFilippo ValsordaFeb 20
@jamesog That post makes almost no sense to me. If they are talking about module deps, since Go 1.17 go.mod has all the dependencies, there is nothing dynamic about it. If they are talking about package deps, it's not working.
Show threadJames O'GormanFeb 20
@filippo GitHub doing something that doesn't make sense? I'm shocked. SHOCKED.
Show threadtmaherFeb 20
@filippo this is super cool. Do you know of any similar approaches in other languages?
Show threadWolf480plFeb 21

@filippo
the `symbols` field in the OSV example you give looks like the biggest false-positive-reducing feature, so I'd love to see it used in other programming languages.

But couldn't find any mention of it in the OSV schema[1] and it doesn't seem like api.osv.dev propagates it[2].

Is this some golang-specific extension? Or something in the process of being added to the standard?

[1]: https://ossf.github.io/osv-schema/
[2]: https://api.osv.dev/v1/vulns/GHSA-fw7p-63qq-7hpr

Open Source Vulnerability format - Open Source Vulnerability schema

Open Source Vulnerability schema.

Show threadYvan ー イボん 🗺️  Feb 21
@filippo yep, been doing that on my repos and at work too. Dependabot is pure noise.
Show threadTim BrayFeb 22
@filippo I loathe Dependabot, even for zero-dependency projects, because every time I approve one of those rather-opaque PRs, I think “The bad guys only have to compromise Dependabot or one of the adjacent CI-toolchain packages and they own the world and probably do it in a way that I’m not smart enough to notice until too late.” Am I being unreasonable?
Show threadCarlana Feb 23
@timbray I had a joke tweet to that effect at some point. It is worrying if you think too much about it.
Show threadautumnFeb 23
@timbray you can self host it
Show threadautumnFeb 23

@timbray will you run dependabot on itself then though

Is this the 2026 version of trusting trust?