[gherkinnn]

Here's some information on these "vulnerabilities": https://overreacted.io/npm-audit-broken-by-design/

As far as I'm concerned, there's no need for Dependabot to create PRs. The notifications in the security tab are enough. Mark the unnecessary ones as benign.

[staticassertion]

The PRs are really helpful when you do actually want to update.

[gherkinnn]

You can have Dependabot create a PR by hitting a button somewhere in the vulnerability details.

[dane-pgp]

And here's the HN discussion on that thought-provoking post:

https://news.ycombinator.com/item?id=27761334