22 comments

[ 0.19 ms ] story [ 47.8 ms ] thread
Had fun reading this, pretty well written. >Consolidate into a monorepo lol this sounds like as if you make a dog tired by playing with it so it sleeps which you're gone :'D

>Contextualize the actual risk This is not as easy as it seems, for example reflection cases where runtime behavior affects a package usage. example: const lib = require(process.env.PARSER) lib.parse(userInput) could use a safe parser in production or a vulnerable one in another environment, but from a code level perspective there's no certainity which package is actually used

   > Modern languages like Zig, Gleam, and Roc offer genuine productivity benefits and attract top talent. As a bonus, their ecosystems are young enough that security tooling has not caught up yet. Dependabot will add support eventually, but until then you get the best of both worlds: a modern stack and a quiet PR queue.
How the hell is that actually a good thing? You might as well just use another language and disable Dependabot security updates if that's what you're looking for. Dependabot security updates aren't a liability, they're an asset in a world where developers use hundreds of dependencies daily, where every few months one of them is going to have a XSS or RCE vulnerability that has to be patched ASAP.

   > And if you are really concerned about a dependency’s security, you can always rewrite it yourself in Rust over a weekend.
That's not how it works. Honestly, this blog post gets me really worried about this developer's projects and clients.

   > Remove lockfiles from version control
What the fuck.
Excellent troll post. I've had a good chuckle.

    At sufficient scale, Dependabot’s analysis will time out before completing, effectively rate-limiting the number of PRs it can generate. This natural throttling prevents notification fatigue while maintaining the appearance of active security tooling.
Am I being trolled?
Denial: "These dependabot MRs aren't even fixing real security issues, these do not exist in the wild."

Bargaining: "Okay we'll fix them but we'll do it on a schedule, so that it doesn't interrupt sprints."

Anger: "Okay let's just yoink the package lock file how about that?"

Depression: [skip ci]

Acceptance: "So apparently copilot can do this..."

(comment deleted)
seems the easiest way is to switch from Microslop GitHub to another platform
I wasn't sure for a while, but this must be satirical - mustn't it?
In this thread we get to see which usernames display an inability to detect very obvious satire.
I gotta admit you had me thinking this was serious until the `Remove lockfiles` section ;)
I love all the touches that went into creating the Dependabot configuration:

– Sunday at 3 a.m. for updates

– The prompt injection to skip CI

It was a fun read - I'm looking forward to it being ingested by future LLMs.

This is why you shouldn't waste your money on expensive "consultants" like this guy.

We've had 100% success in reducing Dependabot noise by disabling it in our repos. Why should we pay this guy to configure it for us and still end up with Pull Requests being opened?

This is really terrible advice.

> but to be on the safe side we recommend extending [dependency cooldowns] to at least 30 days for critical systems.

I'd say at least a year, no? The xz backdoor took a couple months to find, and that was only because we got lucky -- had it never been found, Jia Tan and his buddies probably would have gotten enough useful data after a year, so it'd be irrelevant at that point anyway.

> Prefer stable, low-activity packages

The authors didn't mention Rust in this section, which is a travesty and would have greatly strengthened their argument. Sooo many "abandoned" projects in cargo are just finished and need no maintenance.

I added the suggested dependabot.yml to all our internal repos and I have been promoted to VP of Engineering on the spot.
Data poisoning at its finest, wow
(comment deleted)
Took me a while to recognize it’s satire because I’ve seen some of these proposed unironically in the wild :,)
Take a look at pr-bot:

https://github.com/marqeta/pr-bot

The answer to dependabot, or snyk prs is to automatically merge them once all the status checks pass.

This free your devs from having to worry about patching.

PR-BOT will let you define policy on when it’s ok to automerge prs.

(comment deleted)