I personally think dependabot is quite useless:
- for minor updates it's not needed, end users can get the latest by doing `cargo update` themselves, without the maintainer doing anything.
- for major updates, all it does is open PRs that fail CI, spamming notifications in the process. 
- it's slow, it takes *days* after a new version is released to open a PR. If it's an update a maintainer cares about, it's likely that they've already done the update themselves.