The status should be shown in theDependabot tab of the Dependency Graph page.

(I can't access that, but I believe it is the correct URL.)

Oh, right, I wasn't aware!

Indeed it's already active, maybe it will produce a PR soon.

Nice! :)

I considered also opening a PR like this in the gitdb repository so that its smmap submodule would be updated automatically. That is updated less often, though, and I'm not sure it would really be worthwhile to do that. If you think it is, I'll open such a PR as well.

Edit: I see that Dependabot has successfully created a PR,#1704. (If you comment with@dependabot merge, or@dependabot squash and merge, it will wait until CI passes and, only if it passes, then merge the PR automatically. You need not do this, of course.)

While these repos exist, it's probably worth it (even thoughsmmap truly changes rarely.). Thanks for yourtremendous help.

I will do so shortly. Given this, I suggest not yet merging the existing Dependabot PR here (via commands or otherwise). May as well wait for the submodule update from the gitdb PR being merged there. No need to do anything at all on#1704 actually; when Dependabot opens a new one for that same dependency, it will automatically close#1704, though you may need to trigger Dependabot manually to do another scan to see it.

I've proposed the analogous change to gitdb (for updating the smmap submodule) ingitpython-developers/gitdb#99.

It looks like it doesn't automatically trigger now, probably due to the weekly cadence. I guess it's fair to merge the one open PR now and wait for the next one (as also I can't trigger a scan by hand).

I think it's worth looking into why you can't manually trigger it, before merging#1704.

Sorry, that was too late. It's fine to me as well - maybe I was just overlooking something -turns out I was not seeing the button that at least now is there. Now it's scanning.

It's allowing you to manually trigger the scan now?

Oh, I see. When you said it was too late, you meant you had already merged the first one. I think that's no problem at all, though.

probably due to the weekly cadence

The cadence for action updates is set to weekly, but I actually set the cadence for submodule updates to monthly, both here and in gitdb. Would you prefer it be weekly?

If so, I could open new PRs for that. Editingdependabot.yml always triggers new scans, so if you prefer weekly cadence but don't want more scans right now, I could wait until next time I'm already proposing some other change to gitdb to do that in both repositories. (I have no other specific change in mind currently but I'm fairly sure I'll end up opening another PR there at some point.)

Yes, please feel free to change the cadence next time you get to it 🙏 - a PR specifically for that right now isn't necessary though.

I've opened#1721 andgitdb#104 to change the cadence of Dependabot submodule updates from monthly to weekly, in this and the gitdb repository, respectively. With recent and proposed changes to gitdb, this seemed like a reasonable time, but for maximum flexibility I've opened them as their own PRs instead of including them in other PRs.