No more dependabot in these repositories
Dependabot is a great tool: it automatically creates periodic pull requests in your repository when there are dependencies updates or security fixes. It’s convenient, a lot of projects use it. But when your repository hasn’t that much activity, it becomes burden and noise, even when you configure it to only run once per month, the lowest frequency you can get.
Looking at Can We repository, which exists since 6 years and in which dependabot was added 3 years ago, there are now 192 pull requests: 67 are from myself and 127 from dependabot. But here’s the thing: I’ve closed without merging them 97 dependabot pull requests (and 2 from me).
So today I Mari Kondo-ed it from this repository, and will soon on others (there are softer ways to disable it).
Putting aside the noise in both the repo history and my GitHub notifications, a project with low activity and no security risks like Can We doesn’t need frequent maintenance. Also, dependabot won’t help with breaking changes and code migration for major updates, so I do them manually anyway.
As a developer, you often reuse stuff (code, configuration, workflow…) from a project to another, but sometimes the “defaults” you are used to doesn’t work that much everywhere, or things change and it’s time to take decisions.