Thanks for this. In my whole experience with dependabot, it's only ever been a nuisance for me, but I'm willing to try it. Can you tell me more about why you selected the settings here? What is directory? Is there a reason the default schedule and dependency types aren't suitable?

Thanks for this. In my whole experience with dependabot, it's only ever been a nuisance for me, but I'm willing to try it.

For me too. In some repos I send PRs to when I push dependabot gives me a warning. Getting notified about vulnerable dependencies is useful, but when I am working on a fork, it's not the decision that is done by me, but by the repo maintainer (and he already knows aboht the issue, since it is his repo, so he should get more notifications than me). Also IMHO it is not very correct to upgrade >= conditions only because the dep is vulnerable (>= conditions are about compatibility, not security), and in my projects I never use == and < (for which dependabot's notifications are the most valuable) conditions because I beleive that these conditions do only harm (and my experience persuades me that I am right) and that they fix the wrong thing (instead of making the package compatible to the version that eventually land devs just fix the versions to old ones).

Can you tell me more about why you selected the settings here?
Is there a reason the default schedule and dependency types aren't suitable?

https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

schedule.interval
Required You must define how often to check for new versions for each package manager.

There are no defaults. One must explicitly set it. daily is the shortest one. weekly feels as too infrequent.

What is directory?

directory
Required You must define the location of the package manifests for each package manager (for example, the package.json or Gemfile).

Let's give it a try and see how it works. If it creates more than a modicum of toil, I may dial it down or remove it.

Well, I tried updating the pull request to include a note in the docs, but it seems I don't have permission.

skeleton dependabot $ git push gh://KOLANICH/skeleton
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 358 bytes | 358.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To https://github.com/KOLANICH/skeleton
 ! [remote rejected] dependabot -> dependabot (permission denied)
error: failed to push some refs to 'https://github.com/KOLANICH/skeleton'

I guess I'll have to push to a new PR.

Superseded by #50.