Update configuring-dependabot-security-updates.md

[raineorshine]

Why:

Dependabot continues giving updates even after being disabled if a dependabot.yml file is present. Deleting dependabot.yml is a necessary step for disabling dependabot completely.

This was perplexing me for months, but I found the solution here: https://github.community/t/disable-dependabot/143425/5

What's being changed:

A missing step is being added to the instructions for disabling dependabot.

Check off the following:

• I have reviewed my changes in staging (look for "Automatically generated comment" and click Modified to view your latest changes).
• For content changes, I have completed the self-review checklist.

Writer impact (This section is for GitHub staff members only):

• This pull request impacts the contribution experience
  • I have added the 'writer impact' label
  • I have added a description and/or a video demo of the changes below (e.g. a "before and after video")

[welcome]

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[github-actions]

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

---

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source	Preview	Production	What Changed
content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md	Modified	Original

[ramyaparimi]

@raineorshine
Thanks so much for opening a PR! I'll get this triaged for review ⚡

[mchammer01]

I'll review this tomorrow!

[mchammer01]

@raineorshine 👋🏻 - thanks for contributing to our docs ✨
I'd like some clarification on your update as I am slightly confused.

• Dependabot security updates are usually enabled and disabled via the UI ("Enable/Disable" button as shown in one of the screenshots in the GitHub Community post you kindly linked to). An engineer from the Dependabot team told me that we do sometimes recommend users to check in a config file for security updates and set the allowed open pull requests to 0. You disable Dependabot security updates via the UI. For more information, see here. When you do so, you shouldn't get any more Dependabot PRs.

• Dependabot version updates are configured via the dependabot.yml file. To disable Dependabot version updates, you delete the dependabot.yml file from your repo. You shouldn't get any more Dependabot PRs. You can also tweak that config file if you want to disable updates temporarily for one or more dependencies, or package managers. For more information, see here.

Could you let me know if you're referring to Dependabot version updates or Dependabot security updates? Or if you're not sure. That'll enable me to help you with this PR. Thank you so much 🙏🏻 🙂

[raineorshine]

Ah, okay. I'm talking about dependabot version updates. I didn't recognize there were distinct types of updates. I've been trying for months to disable them, and I kept getting directed to dependabot security update instructions when I searched. Maybe we should link the docs? As in, "Are you looking for dependabot version updates? See: X"

[mchammer01]

I'm so sorry to hear that the docs are confusing in this respect 😢
Your suggestion seems like a great one. Let me talk to the Dependabot Updates team to see what we can do to avoid further confusion. Thank you very much for highlighting this pain point, and sorry about that 😭

[mchammer01]

@raineorshine 👋🏻 - thank you again for bringing this to our attention 💖
I am going to close your PR but I am going to open an internal issue for this so that we can improve the experience for folks using Dependabot updates like you. I'll add your suggestion to the issue and will discuss with stakeholders what's the best way for us to solve the problem.
Hope this is ok with you, and again, very sorry for the poor experience 😞

[raineorshine]

Great, thanks for your follow through.