Automatically merge dependabot PRs

Dependabot is an offering from GitHub to ensure dependencies used by projects hosted there have up to date and secure dependencies.

Dependabot is available on all GitHub projects (public and private) no matter your subscription level.

Dependabot can be accessed on the below address (update your repository name as appropriate):

https://github.com/[owner]/[project]/settings/security_analysis

Out of the box, dependabot can work in a number of degrees of automation as follows:

• Disabled: Dependabot will take no actions on your repository
• Notify: Dependabot will notify owners when security vulnerabilities are detected on dependencies used within your project
• Automatic PR: The highest level of automation from GitHub out of the box with dependabot is automatically creating a PR

It’s worth noting that automatic PRs can be split into two further sub-levels:

• Security only: Dependabot will only create PRs for dependencies with veulnerabilities detected that have been mitigated in a later version.
• Version updates: Dependabot will detect when new versions of dependencies are available and create PRs for these to be deployed (Whether they fix a security vulnerability or not).

I won’t dive in too much further in terms of how Dependabot works, the GitHub docs do a great job of that.