I very much like all the emails due to dependabot. Furthermore, if it is going to create 25 PRs then it also needs to create Jira issues and include updates to changes.xml, otherwise it just creates a lot of work. Furthermore, I have never been in favor of updating dependencies versions without a compelling reason.
On the other hand, if it generated reports that we could include in the web site indicating we were compatible or if there are problems I would find that much more valuable. I would really prefer to have the versions set to the lowest version we support but have verified that it runs with newer versions. IOW, if dependabot could just perform its test builds and document the results that would be great. I also wouldn’t mind if it created PRs when a dependency has a CVE and needs to be updated due to that (hence increasing the lowest version we support). I know Gary loves dependabot and always wants everything at the latest version. What do others think? Ralph
