I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Filippo's resource offers insights, tutorials, and resources for software developers and technology enthusiasts. Readers can learn about web development, programming languages, and software engineering best practices. With articles, tutorials, and code samples, Filippo provides  guidance and expertise for building software applications and exploring new technologies.

Filippo Valsorda

Dependabot generates excessive noise by opening PRs for vulnerabilities that don't actually affect your code, causing alert fatigue and discouraging proper security triage. Using a real case study—a filippo.io/edwards25519 security fix that triggered thousands of irrelevant PRs—the author argues for replacing Dependabot with two scheduled GitHub Actions: one running govulncheck (which uses static analysis to filter alerts to only reachable vulnerable symbols), and one running CI against the latest dependency versions. This approach eliminates false positives, reduces supply chain risk by not auto-merging updates, and ensures security alerts are actionable rather than routine noise.

Turn Dependabot Off

Use a serious vulnerability scanner instead

Don’t blame the messenger, dependabot is only notifying you about new versions of your dependencies. And it does it perfectly well!
The question is: Why do you have so many dependabot PRs?
Answer is: Many of your dependencies are releasing updates and this is actually a very good thing
It means these dependencies are actively maintained.
Why do they need so many patch and updates? Maybe they lack of expertise, maturity but guess what? You use open source, how about you contribute to improve them so they have less security issues to patch so you have less dependabot PR to merge?
Why you should update dependencies regularly will you ask?
Because like that you benefit from new features, bugfix, security patches.
But what if it breaks my code after? Better now than in one month with a huge set of commits no? Fail fast, release fast, react fast. This is software engineering in 2026.
Well I don’t know seems this article is written by a Project manager with all the due respect… quality require efforts. No pain no gain.

I get the complaint about “noise” but if you’re not actively maintaining your code dependencies that’s inevitable. I use dependabot but only let it mail me issues, not automatically raise PR’s. I triage the issues myself - many are typically not exploitable or not relevant, so can be deferred.

Dependabot is certainly not the best option for security alerts — it’s better to use a specialized tool whose sole purpose is security. However, Dependabot is excellent for updating dependencies — you just need to spend some time setting it up to fit your development cycle

Signal over noise, security tooling should surface real risk, not theoretical exposure. Reachability-based checks plus controlled updates beat blind PR spam every time.

I do agree somewhat dependabot can generate a lot of noise, and nosie gets ignored by teams quickly. On the other side though if you just ignore none urgent / vulnerable packages you just kick the can down the road