Filippo ValsordaFeb 20

Dependabot security alerts have terrible signal-to-noise ratio, especially for Go vulnerabilities. That hurts security!

Just turn it off and set up a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Less work, less risk, better results!

https://words.filippo.io/dependabot/?source=Mastodon

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Show threadTim Bray
@filippo I loathe Dependabot, even for zero-dependency projects, because every time I approve one of those rather-opaque PRs, I think “The bad guys only have to compromise Dependabot or one of the adjacent CI-toolchain packages and they own the world and probably do it in a way that I’m not smart enough to notice until too late.” Am I being unreasonable?
Feb 22 at 10:00pmWeb
Show threadCarlana Feb 23
@timbray I had a joke tweet to that effect at some point. It is worrying if you think too much about it.
Show threadautumnFeb 23
@timbray you can self host it
Show threadautumnFeb 23

@timbray will you run dependabot on itself then though

Is this the 2026 version of trusting trust?