How dependabot works

Dependabot has a free quota to get you hooked, but renovate is the better product. So I consider reflecting on how dependabot works a bit of a waste. I started with the former and gradually migrated to the latter. I particularly like the regex handler; you can track pretty much anything.

My only experience with dependabot has been that GitHub spammed me with notifications from it. Now don't get me wrong, if I have a project with an outdated version of jQuery that has security vulnerabilities, it's useful to know about it. But it kept notifying me even after I committed a change to delete that jQuery file because the project no longer needed it. I couldn't find an easy way to get it to shut up about it.

Is Dependabot actively maintained? I thought they announced a freeze on new features a while back, and their uv support never worked properly and has serious known security problems:

> There's an issue where security alerts for uv projects are not working correctly. Specifically, the uv.lock file is not being updated when security alerts are triggered.

— https://github.com/dependabot/dependabot-core/issues/10478#i...

I hate it with passion. It won't respect pinned versions in package.json. I have to explicitly exclude stuff. Be better.

tldr: a github action with a cron schedule that runs whatever code is required to update whatever you have, and then push the diff (if any) in a branch and create a PR (if needed)

We are using something heavily derived from https://github.com/romoh/dependencies-autoupdate