Hi Emmanuel, On 3.11.2025 17:08, Emmanuel Bourg wrote: > And I suggest disabling dependabot on components last released more > than 2 years ago. For example Digester last released 14 years ago > doesn't need weekly dependency updates.
Dependabot actually pauses automatically after about 90 days of inactivity (see this blog post [1]). However, this relies on some collective discipline: we should avoid interacting with Dependabot unless the repository itself shows recent, non-trivial activity. I’d like to suggest the following approach: let’s ignore Dependabot PRs until one of the following happens: - A new non-Dependabot PR is opened in the repository, or - We commit other changes to the repository. At that point, we can review and merge the pending Dependabot updates as part of the regular maintenance. Piotr [1] https://github.blog/security/supply-chain-security/a-smarter-quieter-dependabot/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
