Every now and then I get PRs from GitHub’s Dependabot. I used to routinely accept them, then once it caused grief and only after-the-fact one of the python-dev Git experts said not to accept it.
Should I accept these two?
Bump sphinx from 5.2.3 to 5.3.0
Bump sphinx-lint from 0.6.6 to 0.6.7
Is it generally good to accept these (was that one problematic thing a rare occurrence) or should I routinely reject them?
I got so annoyed by it that I deleted the config file in my repo’s main branch, so now I have to take care to create branches for PRs from the upstream/main branch rather than origin/main (origin being my fork).
If forks, just close them. If you close with @dependabot ignore this dependency you’ll get a little less spam in the future. Better yet delete the config like @merwork suggested.
The good news is GitHub recently said they’re finally working on a fix for the fork spam.
The terse changelog blurb does not state what happens to already existing forks. If dependabot is re-enabled on the main repo, will it automatically disable running dependabot on existing forks, or will all 24.8k of the forks need to manually disable it?
As an alternative, I’ve been happily using Renovate in my projects, which doesn’t create PRs for forks (unless specifically enabled in upstream config).