Disabling Scheduled Dependency Updates
davidism.comThis guy calls it out here, but I will say that the notifications page on github could do with a redesign. If you're in a busy org for your job, it's not easy to see everything in the org (they limit showing number of notifications per repo), and the volume of notifications from your job org will cover up anything in your personal/following repos.
Sure you could unfollow work repos you aren't interested in, but you're automatically following any new ones.
In my case I recently moved all my company org access to a separate GitHub account. It definitely solves this issue at least.
An alternative is to automatically merge dependency changes which pass the tests. Then there's no need for any intervention unless something needs your attention, just dismiss the notification.
We do this at PRQL, with: https://github.com/PRQL/prql/blob/12b1bb65afd5b67f34b98d0ac1...
TBH with Rust it's easier, because if it compiles, it works. While in the dynamic languages ecosystems is more risky and will require either way manual review, unless you have 100% test coverage that I would assume is very rare.
You get to choose either the mind-numbing churn of constant updates, the risk of updates piling up and becoming unmanageable, or shipping software with vulnerabilities. None of these options sounds fun.
I really wish there was a step before opening a PR, like a page with a list of what's out of date that let's you click a button to open a PR for one or more dependency updates.
Renovate has a feature called "Dependency Dashboard" which does exactly that.