Skip to content

Enable dependabot updates #7521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MichaelChirico merged 1 commit into from
Dec 26, 2025
Merged

Enable dependabot updates #7521

MichaelChirico merged 1 commit into from
Dec 26, 2025
+15 −0

Conversation

@MichaelChirico
Copy link
Member

@MichaelChirico MichaelChirico commented Dec 26, 2025

This is a nice automated tool to keep the various GitHub Actions dependencies up-to-date without needing to monitor them.

E.g., I noticed we are on v4 of this action which has current 'latest' version v6:

data.table/.github/workflows/rchk.yaml

Line 36 in 458d12a

- uses: actions/checkout@v4

Example dependabot PR from {lintr}:

r-lib/lintr#2992

It's generally a good idea to scan the update log -- an automation tool like this introduces some risk of getting exposed to a security issue (while also removing the security risk of continuing to use versions with known flaws). The actions we use are among the highest-volume actions, so I think that risk is low.

Documentation: https://github.com/dependabot/dependabot-core?tab=readme-ov-file

I already enabled this in the repo settings.

@MichaelChirico MichaelChirico merged commit 6a70af6 into master Dec 26, 2025
8 checks passed
@MichaelChirico MichaelChirico deleted the enable-dependabot branch December 26, 2025 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MichaelChirico