[IshKebab]

I feel the same way about those bots that tell you about insignificant security vulnerabilities in some project you abandoned. It's basically spam.

That said, this does seem like it is a bit more useful. As long as they actually read the changes and make sure they aren't false positives. Which I'm guessing they didn't do for 666 repos.

[b6dybuyv]

> As long as they actually read the changes and make sure they aren't false positives. Which I'm guessing they didn't do for 666 repos.

In the article they say that "really a bot found the problem and made the PR, but really a human developer at Code Review Doctor did triage the issue before the PR was raised)".

[colejohnson66]

> I feel the same way about those bots that tell you about insignificant security vulnerabilities in some project you abandoned. It's basically spam.

If you "archive" your repos, dependabot and friends won’t bother you.

Or, you could just disable security alerts in your repo's settings.

[oefrha]

Dependabot isn’t the only source of vulnerability fatigue, there are plenty of “researchers” who would spam your active projects about pointless “vulnerabilities”. For instance, I recently got one about a parsing issue in gmp from a human user, who probably found it by scanning PyPI. I’m not touching anything adjacent to the supposedly vulnerable codepath, and the fix isn’t even in a gmp release, meaning I would have to carry a patch if I were to “fix” it. I still responded amicably, but I was not happy.

[colejohnson66]

There’s not really anything that can be done about that, yet, unfortunately. But if you’re not committing to the repo anymore, archiving it is an option. It’ll disable the issue tracker and pull request features. And if you change your mind, you can unarchive it.