This blog uses a GitHub Action to automatically merge pull requests from dependabot so long as the Netlify deploy preview check succeeds. It was a bit of a pain to get going, and always seemed like a process that GitHub could have made easier.

Of course, that was on purpose:

While I agree with Justin that researchers are more likely to audit packages than clients and supply chain attacks are worth solving, Accelerate1 makes a compelling case that it’s better to deploy both good and bad packages faster than stall either in the meantime. Besides, security-sensitive projects already know who they are and have integration processes for auditing dependency updates promptly; automerge is for the rest of us.

  1. Forsgren, Nicole, et al. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. IT Revolution, 2018.