I would suggest using a deny list. You will get an initial spray of PRs, mostly to `bom/pom.xml`. Some we will reject as unsafe (likely breaking change for plugins relying on core classpath), which we can then add as exclusions in Dependabot config. But we may be surprised by helpful updates that we would never have thought to add to an allow list.
-- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3v5CgCcqf%3DMysY8N9-AOpOrFkqh%2BuNLxbSx%3DVw3Q%2Bynw%40mail.gmail.com.
