If the increase in homogenization comes from everyone keeping their packages up to date and secure, I'm going to see that as a net win for the community.
Sure. I think what he's saying is, even if the built-in version of Dependabot is good, it's really hard for another startup to come along and make the the next Dependabot 2, that does things even better. Without that threat of competition, Github's implementation may stagnate. I haven't seen any indication of stagnation from the Github team yet though.
I understand and agree that that is what parent is saying.
I think it might be worth considering that Dependabot outdid a Github feature to do the exact same thing. Dependabot beat out the in-house Github implementation by being better and having better features. Indeed, Dependabot integrated with Github better!
I understand the concern. There's a very real fear that having Dependabot in-house at Github might mean that something even better never develops. It's very possible that this might come true this time! But I am skeptical, given that it clearly failed to occur previously. I'm not seeing why this time around will be different, but I'm sure that's just a lack of vision on my part.
Plus, well, if Dependabot keeps away all would-be competitors by being so good at what it does that nobody can compete... I consider that a win. My main concern and primary goal is more secure software, not more startups rooted in an ecosystem around Github.