The real issue is the cancer practice in our software development industry of updating dependencies for the sake of updating.
Deps should be updated when you need some features or bugfixes from the new versions; not just when DependaBot prompts you to do it.
I see value in DependaBot and things like that only to check that your module still passes your CI with upgraded dependencies (and if not, then it's worth looking at the failure, to be prepared for the updgrade in the future).
The real issue is the cancer practice in our software development industry of updating dependencies for the sake of updating.
Deps should be updated when you need some features or bugfixes from the new versions; not just when DependaBot prompts you to do it.
I see value in DependaBot and things like that only to check that your module still passes your CI with upgraded dependencies (and if not, then it's worth looking at the failure, to be prepared for the updgrade in the future).
Other ecosystems have better protections against compromised packages? I don't see it.