I'd weakly prefer to keep dependabot running, otherwise I'll forget to update dependencies / check for CVEs.
As a devil's advocate, a PR per dependency is useful when an upgrade breaks the build. In this case, not only do you know exactly which dependency to blame, you can also upgrade the rest of them while triaging/fixing/ignoring the one that broke. Best, Alex On Thu, Feb 26, 2026 at 8:48 AM Henrik Ingo <[email protected]> wrote: > Hi > > How do others feel about dependabot? I always turn it off in my projects, > but I realize that is a backwards grumpy old man habit probably... > > In any case, current situation is a great example why I don't like it: Why > do I need to deal with 4 separate PRs for a routine upgrade. My preference > is to upgrade larger chunks (python 3.8 to 3.13 is a bit extreme, but > still...) > > henrik > > -- > *nyrkio.com <http://nyrkio.com/>* ~ *Continuous Benchmarking as a Service* > > Henrik Ingo, CEO > [email protected] LinkedIn: > www.linkedin.com/in/heingo > +358 40 569 7354 Twitter: > twitter.com/h_ingo >
