Filippo ValsordaFeb 20

Dependabot security alerts have terrible signal-to-noise ratio, especially for Go vulnerabilities. That hurts security!

Just turn it off and set up a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Less work, less risk, better results!

https://words.filippo.io/dependabot/?source=Mastodon

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Show threadYvan ー イボん 🗺️  
@filippo yep, been doing that on my repos and at work too. Dependabot is pure noise.
Feb 21 at 11:42pmWeb