Should Dependabot's pull request be automatically merge?

[drnow4u]

Should Dependabot's pull request be automatically merge when pipeline is green?

[commjoen]

@MarcinNowak-codes we rather not, as we cover not all type of UI or Infrastructure tests 👍 .

[nhumblot]

I would say it is better not to, and I would like to add one more point over the valid one raised by @commjoen.

Regarding security, a new corrupted bugfix version could be somehow published to a central repository, which would make it automatically integrated into the main branch of the project.

Happened in the past multiple times in the node ecosystem, being it intentional by the maintainer or coming from someone else:

• Popular NPM Package Compromised
• Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps

Even if tools are like dependabot automate all the grinding in dependencies upgrade, a human eye is needed to have a safe upgrade. 🙂