dependabot is not free for org github accounts.
Having npm audit as a part of test suite cause unpredictable behaviour, since usually you also run tests in order to deploy something to production for example. Your tests previously passed but the moment you started deploy or planned to deploy, you could get error from npm audit.
My preference is to have a failure and know about the security problem if it's severe. This should not be a problem if everything else in your pipeline is handled appropriately
dependabot is not free for org github accounts.
Having npm audit as a part of test suite cause unpredictable behaviour, since usually you also run tests in order to deploy something to production for example. Your tests previously passed but the moment you started deploy or planned to deploy, you could get error from npm audit.
(1) Not true (for open source that is).
(2) Right, absolutely agreed. We have a grace period depending on severity for that reason github.com/blackflux/js-gardener/b...
My preference is to have a failure and know about the security problem if it's severe. This should not be a problem if everything else in your pipeline is handled appropriately
Dependabot is now part of github.com and completely free 🎉