Reading up on Dependabot
3 deep · digging since mar 01
- Dumb Ways for an Open Source Project to Die
The piece enumerates dozens of distinct ways open-source projects become effectively dead, from maintainer abandonment to sabotage and ecosystem shifts.
- Package Managers Need to Cool Down
A survey finds that while many package managers and update tools have adopted dependency cooldowns to prevent supply chain attacks, implementations vary wildly in naming, scope, and timestamp handling, and major ecosystems like Go, Maven, and Gradle still lack support.
- Turn Dependabot off
Dependabot's version-based security alerts are noisy and less effective than static analysis tools that check reachability of vulnerable functions.