Our great sponsors
-
evergreen
GitHub Action to enable automated security updates and open a issue/PR in repos in an org that have dependency files but no dependabot.yaml file (by github)
-
oapi-codegen
Generate Go client and server boilerplate from OpenAPI 3 specifications (by jamietanna)
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
I don't understand why Github does not invest more into Dependabot. Everyone need something like this, and Github is positioned to offer the best sca tool there is. And yet... stuff like grouping has only been recently added.
Anyhow, this is useful to rollout dependabot.yaml config at scale: https://github.com/github/evergreen
Renovate isn't special with how it authenticates - you can run it as your own user ie https://github.com/jamietanna/oapi-codegen/pull/12 and Renovate runs against GitLab, Bitbucket and I believe other platforms too
https://github.com/bodinsamuel/renovate-automatic-branch
So you have nothing to do except a big review once in a while.
Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)
Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).
This is a big deal! Where did you read this? I found:
https://github.com/renovatebot/renovate/discussions/26917
Started using renovate to update a few internal dependencies.
A few years later more than 30 projects using it and almost all of that growth happened naturally: https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot
We operate on a fork (5 commits or so) which contains some hacks to support a forked workflow on GitLab and some minor adjustments for that workflow. Really need to upstream some of it: https://gitlab.com/gitlab-org/frontend/renovate-fork/-/merge...
The author was always super kind, responsive and accommodating.