Hiya friends,

GitHub shipped five new Dependabot ecosystems in a single week. And most public repos still don't have CodeQL enabled. Let's fix both.

🚢 What Shipped

Dependabot's Big Week

GitHub dropped version update support for Bazel, Julia, OpenTofu, and Conda. Plus security updates for uv, Python's new package manager that's been eating pip's lunch.

If you're using any of these, Dependabot now watches your back.

Enable it now:

  1. Go to your repo → Settings → Security → Advanced Security

  2. Click "Enable" next to Dependabot alerts

  3. Click "Enable" next to Dependabot security updates

  4. For version updates, add a .github/dependabot.yml config file to your repo:

version: 2
updates:
  - package-ecosystem: "uv" # or npm, docker,etc.
    directory: "/"
    schedule:
      interval: "weekly" # # or "daily", "monthly", etc.

Done. Dependabot will open PRs when updates are available.

CodeQL: The Security Scanner You're Not Using

CodeQL is free for every public repository. Has been for years. It catches SQL injection, XSS, hardcoded credentials, and dozens of other vulnerabilities before they hit production.

Most repos don't have it enabled. That's wild.

Enable it now:

  1. Go to your repo → Settings → Security → Advanced Security

  2. Find "Code scanning" → Click "Set up" → "Default"

  3. That's it. Three clicks.

GitHub auto-detects your languages and runs CodeQL on every push and PR. No config file needed. Results show up in the Security tab and as PR annotations.

For private repos, you'll need GitHub Advanced Security. But if your code is public? This is free. Go turn it on.

📺 What I'm watching

Sam Struan on ATS-friendly résumés - ATS (Applicant Tracking Systems) is the software companies use to collect and organize job applications. There's a whole cottage industry selling "ATS compliance" services, but Sam breaks it down in two minutes: it's mostly a scam. The real test is simple. Select all text in your PDF. If your contact info isn't highlightable, it might not parse correctly. That's it. No magic.

Worth your time if: you're job hunting or helping someone who is.

This Week

It was a productive one. Wrapped up the week with Open Source Friday alongside Cassidy, Christina, and Kedasha. We don't usually get to yap together on stream, so that was a treat. (Yes, the sunglasses were necessary.) By the time you read this, I'll be en route to Seattle for my team's offsite. If you are local and wanna say hey, please DM.

When your teammates match your energy!

That's it. Two features. Three clicks each. Go secure your repos.

With gratitude, I'll see you next week,

Andrea

🇻🇪 Léelo en español

Subscribe to Main Branch | Support on GitHub Sponsors

Reply

or to participate

Keep Reading

No posts found

© 2026 mainbranch.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv