dependabot security updates enabled by mistake?

[laurentsenta]

Reported by @marten-seemann on Slack: https://filecoinproject.slack.com/archives/C03KLC57LKB/p1676416291646809

Around last week, the libp2p team started seeing unwanted dependabots PRs. These are examples they shared:

• https://github.com/libp2p/go-libp2p/pull/2098
• https://github.com/libp2p/go-libp2p/pull/2099
• https://github.com/libp2p/go-libp2p/pull/2100
• https://github.com/libp2p/go-libp2p-xor/pull/21

These PRs seem to be related to dependabot alerts, which are security alerts (this is important because these are enabled via the UI).

It seems to have occurred around the time when we worked on and merged https://github.com/pl-strflt/github-mgmt/pull/93. So the team assumed we changed something in the org configuration without letting them know. I couldn't find traces of configuration changes in the libp2p/github-mgmt repo, and there are no dependabot files in concerned repos like go-libp2p.

So that's either a coincidence or a bug.

I assumed a bug, I wouldn't be surprised if this were caused by a new default value but:

• it seems that the terraform github provider does NOT support changing the security updates flag (we're using v4.something),
• There is no configuration in the documentation either.
• Unlike versions updates which rely on dependabot.yml, It seems that github's dependabot security updates is enabled in UI only.

There is no way to find dependabot config changes in github's audit log, so I don't think we can tell what enabled this flag.

I'll check with the team and disable these manually, but we definitely want to investigate these when @\galargh is back from his break.

[galargh]

The report has nothing to do with GitHub Management. Yes, we did work on dependabot around the same time but that has nothing to do with it.

I'll check with the team and disable these manually.

I do advise against this. I wouldn't disable automatic potential security vulnerabilities resolution.