📖 docs: be more specific about what Dependabot brings with it #1336
Conversation
It would have helped me to decide whether I needed it or not
|
The documentation should probably mention that RenovateBot doesn't support dependencies pinned to SHAs in a way that would be human-friendly: evverx/systemd#30 but since I'm not sure whether it's configurable or not I decided not to include it in this PR. More generally, it would be great if before recommending anything in its documentation the scorecard project could somehow make sure that whatever it recommends is more or less usable. |
|
I'd personally probably stop recommending CodeQL as well due its hidden security tab with alerts. It was discussed in #1257 (comment) and #1074 (comment) though |
|
There seems to be another missing feature: dependabot/dependabot-core#2835 (comment) |
|
Integration tests success for |
|
Thanks @evverx. Feel free to open issues about the comments you have added here and we can continue the discussion there. |
|
FWIW I think this PR can be reverted because that particular Dependbot bug was fixed: https://github.blog/changelog/2022-11-07-dependabot-pull-requests-off-by-default-for-forks/ |
It would have helped me to decide whether I needed it or not
dependabot/dependabot-core#2804 has been open for almost a year (and dependabot/dependabot-core#2198 since 2019) so it doesn't seem to make sense to wait for it to be fixed anytime soon.