From https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference?utm_source=chatgpt.com#open-pull-requests-limit- :
- "Security updates have a separate, internal limit of ten open pull requests which cannot be changed." On Sat, Jan 17, 2026 at 11:52 AM Arturo Bernal <[email protected]> wrote: > Hi, > > I agree — a monthly digest / batched updates should be the default. If a > bump fixes a specific bug or CVE (or unblocks compatibility), we can still > handle it as an exception and merge it promptly. > > Thanks, > Arturo > > > > Arturo > > > On Sat, Jan 17, 2026 at 12:18 PM Oleg Kalnichevski <[email protected]> > wrote: > > > Folks > > > > Could we please refrain from merging each and every damn dependabot PR > > for each and every minor version bump unless that version actually > > fixes something in the code we depend upon? We have now tons of > > optional dependencies and dependabot has become more of an annoyance to > > me than of help. > > > > Oleg > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
