Jon Janego

> We're ready as well, and IMO it's really about time people moved on. So no big concerns for my part, but it is a business decision you have to...

Hello watchers -- we are planning to drop support for composer v1 in early November. [Here's a discussion i posted with more details](https://github.com/dependabot/dependabot-core/discussions/10760).

> OK, quick update- this isn't going to work as is. There are other bugs in it also, and now taking a deeper look at the way pdm/uv/pip-compile/etc are supported...

agree with your assessment @juxtin

Hi @virangdoshi , thank you for the suggestion. In the meantime, I suggest you consider enabling [Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) for your repositories, which will alert you to vulnerable package versions, as...

Hi @ebickle ! > Modify `comment-summary-in-pr: on-failure` so that a comment is added if any dependency review failure occurs, even if `warn-only: true` is set. just so that i understand,...

re: > I'd like to open a second pull request to have dependency review optionally create a [pull request status check](https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#create-a-check-run) that is independent of the workflow. This would allow...

> I've since moved to an approach that adds a commit check instead so it's not something I directly need any longer, but it seems like a valuable change that...

👋 from the GitHub Dependabot team. There's a [PR in dependabot-core](https://github.com/dependabot/dependabot-core/pull/10040) that aims to help support uv. @zanieb in case you didn't notice the tag there, i'm pinging you here...

Hi @ben-wilson-peak ! Could you elaborate a bit more on the workflow you're thinking of, for when you'd use a SARIF output after running the action?