[gkoberger]

The alternate is that critical infrastructure can just... disappear. Like "leftpad", but worse.

GitHub is already really great about alerting you with critical issues. Whenever there's a security bug, it pops up in our repo (and with Dependabot, it's become automatic).

[jmb12686]

I have appreciated the automated notifications from GitHib for projects that have known vulnerable dependencies in my package.json(s).

I just looked up Dependabot and linked it with a repo that I already have robust testing and CI pipeline for. Preliminarily Dependabot is great!

It automatically updates by dependencies to the latest versions and submits individual PRs. Since I have TravisCI hooked up to this particular repo, I can see all the test results for each PR and can (confidently) merge the changes into master without manually firing up my personal dev machine(s) and manually performing what Dependabot just did.

Anyway, thanks for the tip!