Dependabot lets you know if a dependency you use has a vulnerability and opens a PR. The problem comes when teams are unwilling to merge those PRs even if tests pass. In my experience there's a very binary split here. Some codebases (especially open source libraries themselves) will immediately merge a dependabot PR if tests are passing. Many companies though find these PRs languish because they really need manual review to see if the change is safe and then an engineer needs to budget time in the case where it's not. These build up.