It not hard since opus or gpt-5.4 anymore. I check most of my Makefiles with them to update wrong deps.

GitHub lists one dependent repo for curl and that too is a mistake.

it’s cache-invalidation in different clothes, it will always be a pain in the tucus

Dependency tracking for security is like any other security work: the purpose is to create the perception of security, not actual security. You can sell the perception of security. You can't sell actual security. That's why every other corporation has a WAF now that doesn't block attacks but does block legitimate traffic, and how Cloudflare managed to create the world's biggest MITM without a single crime.