re: GitHub acquires Dependabot VIEW POST

FULL DISCUSSION
 

Should be valuable for teams with little time to do this themselves, and encourages good testing hygiene, so you can actually accept all the PRs coming your way from the bot :)

There are other options of course: Snyk (as mentioned elsewhere) and OWASP Dependency Check, both of which concentrate on matching package versions in use with know vulnerabilities, thereby focusing on security rather than keeping up with the latest major version.. YMMV.

code of conduct - report abuse