Hi,
I can’t find any way to restrict who’s comments DependaBot listens to in PR - am I missing something or is that not configurable?
It feels a bit wonky if anybody may trigger a merge in a public repo just by commenting?

I’d consider posting in one of three places:

GitHub/feedback w/ the dependabot label:

dependabot/dependabot-core repository:

GitHub/docs:

Specifically noting that there’s a reviewers field but no indication as to whether using it would block non reviewers from talking to the bot: