Many companies rely on GitHub Advanced Security offerings to detect vulnerabilities in codebases. Dependabot is one such tool. Its ability to keep dependencies up to date is nice but from a security perspective its ability to create alerts on vulnerabilities in dependency versions is crucial. It currently supports various packages ecosystems including npm, pnpm, and yarn. It does not yet support deno.

Lack of Dependabot support/integration is a blocker for teams wanting to use deno in organizations that require Dependabot security alerting.

Ideas:

1. Work with GitHub Advanced Security to help them support deno for security updates (ideally for general version updates and private repositories/registries too but at a minimum for security updates).
2. Support some npm/pnpm/yarn lock file format. e.g. If deno can generate the package-lock.json file in the same format that npm does then users will be able to use Dependabot today without issues. This should work short term until more tools support deno.lock but it could also work long term as part of Deno's Node compatibility.