We enabled recently dependabot to automate dependency upgrades [1]. Results so far seem good including having new CVEs alerts!
Maybe we could automate further by auto merging the PRs given some conditions like a whitelist of dependencies that are now stable enough and when tests are green we shall not have problems. It seems github now has an option to do this [2] so I was wondering what other members of the community thought and if you see any possible issue/drawbacks before starting any work on this. [1] https://lists.apache.org/thread.html/r2a175f8b96dd7a5533336cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E [2] https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request
