Go library maintainer brands GitHub's Dependabot a 'noise machine'
The Register
February 24, 2026
AI-Generated Deep Dive Summary
A Go library maintainer has criticized GitHub's Dependabot as a "noise machine" that generates excessive false positives, leading to alert fatigue and reducing its effectiveness in addressing real security risks. Filippo Valsorda, who previously led the Go security team at Google and now maintains critical cryptography packages in the Go standard library, highlighted an incident where a single-line fix he implemented triggered thousands of unnecessary pull requests (PRs) across unrelated repositories. Dependabot, which scans dependencies for vulnerabilities using data from the GitHub Advisory Database, mistakenly flagged these PRs as critical, even when no actual vulnerability existed in many cases. Valsorda pointed out that this approach causes confusion and distracts developers from addressing genuine security issues.
The issue stems from Dependabot's lack of precision in identifying whether vulnerable functions or code paths are actually used within a project. Valsorda explained that the tool appears to check only for the presence of dependencies, not their usage or relevance to the project's specific codebase. This results in false alarms and unnecessary work for developers. For instance, after fixing a vulnerability in the `filippo.io/edwards25519` library, Dependabot generated warnings about a made-up CVSS score and compatibility risks, even though most projects using this library did not rely on the affected function.
Valsorda also criticized Dependabot's approach to dependency updates, arguing that they should align with a project's development cycle rather than being automatically triggered by new package versions. He emphasized the importance of testing updated dependencies in a controlled environment before deploying them to production. Instead of relying solely on automated tools like Dependabot, he recommended using static analysis tools such as `govulncheck`, which can accurately identify reachable vulnerabilities in Go code.
While Valsorda acknowledged that Dependabot has its place for teams with limited resources, he stressed the need for more accurate
Verticals
tech
Originally published on The Register on 2/24/2026