#dependabot — Public Fediverse posts

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

Good :blobnomcookie:

#opensource #pullrequest #GitHub #Dependabot

Good :blobnomcookie:

#opensource #pullrequest #GitHub #Dependabot

Good :blobnomcookie:

#opensource #pullrequest #GitHub #Dependabot

Good :blobnomcookie:

#opensource #pullrequest #GitHub #Dependabot

Good :blobnomcookie:

#opensource #pullrequest #GitHub #Dependabot

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

is #js the next #java applets, some may remember, there were so many viruses and hacks has been happening with #applets around 2000s at the end they drop the applets totally.

Now having #dependabot or #snyk is like just bringing a new security hole strangely opposite the intention.

Probably better to not upgrade if all versions are secure and stay there forever 😃

https://www.youtube.com/watch?v=o7NYXvYohYk

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

｢ He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. ｣

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

｢ He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. ｣

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

｢ He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. ｣

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

｢ He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. ｣

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

⚠️ Go lib maintainer: GitHub's Dependabot is a 'noise machine'

｢ He argues that dependencies should be updated according to the project's development cycle, not whenever a new version of a package appears. Updating quickly also carries some risk if malicious code has been added to a package. ｣

https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#Dependabot #vulnerability #github #opensource #cybersecurity

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

RE: https://mastodon.social/@h4ckernews/116105137504773423

I have a good story with #dependabot
I was working with a team that depended totally in #bots #llms #ai stack. So one day checking PRs I noticed a PR that overrides the dependencies of the framework that we used to build an API( #NestJS ) Yeah it was overriding the depends of Nestjs in our repo, I mean the dependencies of the dependencies

Why?

They told me that dependabot warnings about it.

I'm pretty sure the solution came from #chatgpt hahahahaahhaa

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Turn Dependabot Off

https://words.filippo.io/dependabot/

#HackerNews #TurnDependabotOff #Dependabot #SoftwareDevelopment #GitHub #Automation #TechNews

Wow, found a great use case for GitHub Copilot. It can help Dependabot finish update bumps that require code changes!

#github #copilot #dependabot #update #upgrade #ai #migration #pullrequest #automation #developer #code #agents