As it seems that there are no signs dependabot spam will go away, I ended up disabling it and avoiding adopting it for any new projects. Disable dependabot due to spammy nature by ssbarnea · Pull Request #1396 · ansible-community/ansible-lint · GitHub

Dependabot is great idea, but it fails to cover some critical aspects like being able to create single update commit with all updated dependencies. Lack of this feature makes is impractical for any projects that have either many dependencies or some that change often. Usually on python world, this means >10 deps in total, it already became a burden.

I already have Dependabot disabled in the Security & analysis page (as shown by the first below image), but I still receive unwanted PRs from Dependabot (as shown by the second below image). How do I disable them? This is on a fork, so I never want these PRs, instead I will let the upstream repo update their dependencies and then I will fast-forward to their master.

Screenshot from 2021-05-13 05-41-36950×400 27.2 KB

Screenshot from 2021-05-13 05-45-381000×900 82.1 KB

For NPM, dependabot always check @next which is really annoying.

I search a lot and try to disable the @next channel updates, but with no luck, and find nothing. So I have to disable the whole dependabot to help myself stop being spamming by it.

I really miss greenkeeper more, the greenkeeper is really better than the dependabot on GitHub today.

@TheLastGimbus In my situation, I get dependabot PRs on a fork of another repository. Deleting a file in the repo is not an option because I want to keep my master branch in sync with the upstream one.

I got the idea from Bootstrap folks: you can delete them in another branch (like master-2), then set that branch as the default branch.