Most teams either ignore dependency drift or hand a SaaS bot org-wide write access and automerge everything. There is a middle path: run the bot yourself, make automerge a graded-trust decision, and treat the update pipeline as attack surface. Here is the whole setup, from one public repository.