Request Feedback: Dependabot integration

Hi everyone! We integrated Dependabot with the OpenSearch repository. Dependabot issues auto-PRs for what it finds and is a useful tool to assist in keeping our dependencies up-to-date.

One of the common issues with integrating Dependabot is that once it is integrated with a repo, some forks start getting Dependabot update PRs once they sync with the upstream.
(Related issue: .dependabot/config.yml and forks · Issue #2198 · dependabot/dependabot-core · GitHub)

We believe the tradeoff of opening PRs against forks is worth it to rapidly patch the main repository.

  1. Does anyone know of a way to achieve our results that don’t require this trade-off?
  2. What do you think of this tradeoff?

Please let us know - we will keep this open until Wednesday, March 2nd.

Thank you