I just enabled Dependabot alerts and security updates for a couple of my team’s repositories. So far, it looks like a helpful feature.
However, I noticed that when opening PRs for security updates, Depdendabot seems to pick the dependency to update at random (I had 9 vulnerabilities, and it picked 6 of them randomly to open PRs for). They weren’t selected due to alphanumeric ordering, version number, or even severity. Interestingly, one of the dependencies it did choose to create a PR for was marked “low severity”, while one of the dependencies it didn’t choose was of “critical severity”. That seemed odd to me.
Is there a way to configure Dependabot to prioritize its security updates by severity, so that it focuses on the most important ones first?