February 20, 2026
When the bot cries wolf
Turn Dependabot Off
Dev community says the update bot cries wolf — pull the plug
TLDR: A flood of scary but irrelevant Dependabot alerts after a minor Go fix sparked calls to shut it off and use smarter scanners like govulncheck. The community split between “kill the noise,” “keep weekly updates,” and “slow down to stop supply chain risks,” while others hunted Rust and JVM equivalents.
A Go maintainer set the internet on fire by saying: turn Dependabot off. After a tiny, one‑line fix in a rarely used part of a crypto library, the GitHub update bot blasted thousands of projects with scary alerts and PRs — even ones that didn’t use the affected code. Cue chaos, eye‑rolls, and a new meme: the bot that cries wolf. The author’s fix? Run smarter checks like govulncheck (a Go tool that flags only real risks) and your tests on a schedule — not every time the bot panics.
Comments lit up. One camp cheered the move, calling Dependabot a “noise machine” and praising govulncheck as the adult in the room. Another camp urged balance: keep weekly Dependabot updates, but pair them with govulncheck for sanity. Security hawks warned that upgrading too fast spreads supply chain attacks; their mantra: delay is a feature. Tool hunters piled in asking for Rust and JVM versions, with shout‑outs to govulncheck‑action and questions about Gradle/Sonatype options. Jokes flew about “CVSS astrology,” the mysterious 73% “compatibility score,” and a false alarm on Wycheproof becoming Exhibit A for bot overreach. The vibe: less panic PRs, more real risk checks — and yes, “Time is a good firwall” is now a T‑shirt waiting to happen.
Key Points
- •The author recommends turning off Dependabot for Go projects due to noisy and misleading security alerts.
- •A bug in filippo.io/edwards25519’s Point.MultiScalarMult was fixed in v1.1.1 (from v1.1.0), with CVE-2026-26958 assigned.
- •Dependabot issued thousands of PRs and alerts, including a 73% compatibility score, to repositories largely unaffected by the issue.
- •A false alert targeted the Wycheproof repository, which imports only the unaffected edwards25519/field subpackage.
- •The article advises using scheduled GitHub Actions to run govulncheck and tests, leveraging Go Vulnerability Database metadata and reachability analysis.