> it seems impossible to know It is as you say, everyone does their own thing.
> how tools like Dependabot and friends should interpret "versions qualifiers that carry meaning They cannot, no better than we can. One has to engage with each individual project to understand what they are trying to convey in their versioning. When a project publishes an artifact with a version suffix like '-alpha' or '-beta', is it safe to use? I don't know, it depends on the project, and what that term means to them. Even first-party Maven plugins were putting out some '-M1', '-M2' suffixes for a while. What's that mean? Apparently 'Milestone X'. Is it safe to use? Apparently yes, but you'd have to read the release notes to know that, and it will not apply to other projects. I don't think Dependabot is particularly useful in general. It generates a lot of churn with keeping libraries updated, but it can't know if you *should* update. You could defer all of that until you're just about ready to make a release, do it all at once, and not care that some dependency had 10 minor updates between your releases. You don't gain anything by being on the bleeding edge with every dependency all the time. New versions are just as likely to have new bugs and CVEs, and if your slightly stale dependency has a CVE, consumers of your project are free to override your transitive dependencies themselves.
