If you auto merge those PRs you're back to square 1 as you're not vetting your dependency updates. And if you don't, you incur operational overhead unless you put in a fair amount of effort centralizing. Wrote a couple of posts that touched on this https://developerwithacat.com/blog/202604/github-actions-sup...

▲

arionmiles a day ago | parent | next [-]

Valid point. We have minimum age requirements set on some rules to avoid absorbing every latest change instantly.

	▲	mmarian a day ago \| parent [-]
		How would that solve the problem though? You're still bringing compromises in, just with a delay. And the fixes will come in after the compromise, in accordance with the delay policy. To make matters worse, you'd lose getting alerts on vulnerabilities. Dependabot won't send them, and neither will Renovate last time I checked.

▲

pabs3 a day ago | parent | prev [-]

How many people actually audit the code changes in their dependencies when updating them?

	▲	mmarian a day ago \| parent [-]
		Few, if any. Which is why I'm highlighting that you can't just use commit SHA + Renovate then call it a day.