Today dependabot PRs generate work that need to be managed manually, by approving and merging them.
Suggestion to fix that by smartly using dependabot automation, as described in this guide.
The suggestion is to auto-approve and auto-merge if dependency got only minor or patch bump, and has not any security alerts
If security alert exists, then no auto-approve/merge - mark as security for manual approval as well as all major bumps always manual review
Today dependabot PRs generate work that need to be managed manually, by approving and merging them. Suggestion to fix that by smartly using dependabot automation, as described in this guide.
The suggestion is to auto-approve and auto-merge if dependency got only minor or patch bump, and has not any security alerts If security alert exists, then no auto-approve/merge - mark as security for manual approval as well as all major bumps always manual review
High level code may look something like: