I'm okay not being flagged for security vulnerabilities in our dependencies, we'll get them no matter what with dependabot runs
One thing I just remembered and I am noting here - it's somewhat standard practice apparently to ask dependabot not to propose any packages newer than 3 days. Why? To avoid ingesting packages that haven't had time for inspection by the wider security community yet. If you let dependabot go with just-published package, you may inadvertently be in the blast radius of a supply chain attack on a dependency that is published but not recognized as malware yet
dependabot has config parameters that can do it and LLMs are successful at making the PRs for same if you have any more of the OSS Claude tokens to burn
Originally posted by @mikehardy in #21038
Originally posted by @mikehardy in #21038