https://tiro.org.uk/enSat, 04 Apr 2026 15:49:49 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://tiro.org.uk/blog/posts/2026/04/keeping-dependabot-happy/Richard Palmer<p>I found this post from <a class="reference external" href="https://words.filippo.io/dependabot/">Filippo Valsorda</a> interesting as it's increasingly seemed like what was originally something useful (finding out about security alerts for dependencies) has become a beast that must be fed everyday. The satisfaction of closing a few Dependabot PRs is swiftly followed by deflation as 2-3x that many new PRs are created the next day. One thing that would make it much more useful (and I'm baffled as to why it's not done by GitHub) is to have a clearer UI that splits out PRs into those from developers, security PRs (important!) and then the endless dependency update ones that can be considered as and when. Instead if you don't keep merging them, you end up with a open PR count in the hundreds and a feeling that you are not maintaining things.</p>dependabotgithubmaintainancesoftwarehttps://tiro.org.uk/blog/posts/2026/04/keeping-dependabot-happy/Sat, 04 Apr 2026 15:39:20 GMT