[morningsam]

>Though I have wondered about the idea of programming something like Dependabot, but telling it, hey, tell me about known CVEs and security releases, but otherwise, let things cook for 6 months before automatically building a PR for me to update.

Renovate can do both of these things already:

https://docs.renovatebot.com/configuration-options/#vulnerab...

https://docs.renovatebot.com/configuration-options/#minimumr...