https://coderrob.com/tags/security/Recent content in Security on CoderrobHugoen-usMon, 18 May 2026 00:00:00 -0500https://coderrob.com/posts/dependabot-configuration-grouping-cooldown-ecosystems/Mon, 18 May 2026 00:00:00 -0500https://coderrob.com/posts/dependabot-configuration-grouping-cooldown-ecosystems/<p>Dependabot is one of those tools that can either quietly keep your dependencies moving or bury your team under a pile of tiny pull requests.</p> <p>The difference is configuration.</p> <p>Out of the box, Dependabot tends to think in very small units:</p> <ul> <li>one dependency</li> <li>one update</li> <li>one pull request</li> <li>repeat until morale improves</li> </ul> <p>That is fine for a small repo with three dependencies and the emotional complexity of a toaster. It is less fine for real projects with application packages, GitHub Actions, Docker images, Terraform modules, dev tooling, lockfiles, and a CI bill that starts to look like it has hobbies.</p>