Dependabot security alerts have terrible signal-to-noise ratio, especially for Go vulnerabilities. That hurts security!
Just turn it off and set up a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.
Less work, less risk, better results!
Turn Dependabot Off
I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.
(words.filippo.io)
