Nodejs.dev: Should we tell dependabot to chill out?

The documentation is pretty light, but I noticed there is an "automerge" option https://dependabot.com/docs/config-file/#automerged_updates

I like the auto merge idea for minor and patches.

Auto merge is a good idea, I have dependabot installed on my repos and i do get a lot of PR's however after switching to auto-merge it became easier

@designMoreWeb do you have a config.yml you can share for dependabot?

Shouldn't actually need the config. I've enable the ability to opt-in to the Auto-merging for projects, but I haven't enabled it on the project

Packages can also be whitelisted

@benhalverson I do have it posted it down

version: 1
update_configs:
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "daily"
    automerged_updates:
      - match:
          dependency_type: "development"
          Supported dependency types:
           - update_type: "all"
#dependency types include Production, development, and all
          Supported updates to automerge:
           - "security:patch"
           - "semver:patch"
      - match:
          dependency_type: "production"
          update_type: "semver:patch"

I've updated the settings fairly significantly. I've set up dependabot to filter to only open PRs related to security fixes. I've also set it to auto land any security fixes that are at patch level.

This should significantly reduce the noise we receive. This will require us to keep dependencies up to date manually, but will make sure we are notified at a regular pace regarding security updates.

Thoughts?

I think that is a better option the way you have set it up @MylesBorins I like it thank you for making the change

Closing as no one seems to have an issue with new settings