On Mon, 3 Nov 2025 at 17:26, Piotr P. Karwasz <[email protected]> wrote: > > Hi Emmanuel, > > On 3.11.2025 17:08, Emmanuel Bourg wrote: > > And I suggest disabling dependabot on components last released more > > than 2 years ago. For example Digester last released 14 years ago > > doesn't need weekly dependency updates. > > > Dependabot actually pauses automatically after about 90 days of > inactivity (see this blog post [1]). However, this relies on some > collective discipline: we should avoid interacting with Dependabot > unless the repository itself shows recent, non-trivial activity. > > I’d like to suggest the following approach: let’s ignore Dependabot PRs > until one of the following happens: > > - A new non-Dependabot PR is opened in the repository, or > - We commit other changes to the repository. > > At that point, we can review and merge the pending Dependabot updates as > part of the regular maintenance.
That would reduce some of the noise, but not all of it. And as soon as a commit is made, there will be another 90 days before dependabot stops making noises. I still think quarterly reports are worth trying. > > Piotr > > [1] > https://github.blog/security/supply-chain-security/a-smarter-quieter-dependabot/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
