The other day, GitHub sent me a notification that there were a couple security vulnerabilities in the dependencies of one of my personal projects, castaway. Having used Dependabot at work, I figured I’d enable it and get that vulnerability taken care of.
After I merged one of Dependabot’s PRs, I was shocked (😱) to find that semantic-release hadn’t made a release for it. Dependabot prefixed the commit with build(deps):, and semantic-release only creates releases for commits with prefixes fix and feat.
What’s the point of a security update if it doesn’t actually build a new image? Looks like I’ve got some work to do.