Comment by swisniewski
1 month ago
Take a look at pr-bot:
https://github.com/marqeta/pr-bot
The answer to dependabot, or snyk prs is to automatically merge them once all the status checks pass.
This free your devs from having to worry about patching.
PR-BOT will let you define policy on when it’s ok to automerge prs.
I don’t have experience with dependabot at all. I didn’t realize it was satire. I just kept thinking, “This sounds like terrible advice. This can’t be right.”
This is not satire.
If you have a large dependency graph, you are going to have a lot of vulnerable stuff.
Letting one computer send you patches and the other computer merge it for you when all your tests pass is a good thing.