hi! I feel like dependabot ist mostly generating spam on PRs and on the mailing lists. Looking at CXF for example you almost don't see any 'normal' traffic anymore. And even at OWB it's mostly false positives as dependabot doesn't work properly with all those apis targeting different JakartaEE spec versions.
And for other stuff I usually go through all our dependencies via $> mvn versions:display-plugin-updates and $> mvn versions:display-dependency-updates manually and do all the updates which make sense. That way our project is way less cluttered and we also keep track of the updates in JIRA. wdyt? txs and LieGrue, strub
