Thomas Sibley

> A complementary direction would be to allow node-data JSONs to encode relevant config settings. It is often the case that the command which generates them knows about how they...

ISTR discussing this behaviour (or similar) before but can't recall specifics. In any case, I think the behaviour in this PR is more favorable, but it's definitely up for discussion....

Updated the changelog in [f48f196](https://github.com/nextstrain/augur/pull/1010/commits/f48f196611f6f4be52bb8845e914f55a6da1fcf3) and then rebased onto latest master to resolve conflicts before merge.

`tests/builds/runner.sh` was added in 2710dbceac4ca433d86567d7995a1c9687eb797a by @jameshadfield to the Travis CI config. It was first mentioned in `DEV_DOCS.md` in e17be15 by @huddlej and then subsequently reworked in 0878320 and 070c6a7....

Maybe we should `.gitignore` these files instead? They might be test outputs that someone wants to inspect?

Is the plan to eventually replace the remaining treetime-based functions like `augur.date.get_numerical_dates()` with the new ones introduced here?

Some thoughts to start discussion… How are we being held back by the current process of using known-good/locked versions of deps? How would we be propelled forward by continually closely...

Ah, those toggles you screenshotted are high-level switches, but there's [a lot of configuration](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) that can be done using a `.github/dependabot.yml` file, including setting a schedule.

(Although monthly is the longest interval. I'm also not sure if you can have different schedules for security vs. non-security updates.)

> 4\. Disable the feature [in repo settings](https://github.com/nextstrain/auspice/settings/security_analysis) (reduces PR clutter but no visibility to security issues) Won't security issues still get flagged on the repo (and sent as notifications...