My only experience with dependabot has been that GitHub spammed me with notifications from it. Now don't get me wrong, if I have a project with an outdated version of jQuery that has security vulnerabilities, it's useful to know about it. But it kept notifying me even after I committed a change to delete that jQuery file because the project no longer needed it. I couldn't find an easy way to get it to shut up about it.