How to group security updates?

[christian-schwaderer]

In a Node.js repo I have Dependabot running. But since Dependabot alerts are sometimes incomplete and not as fast as NPM advisories, we've added in our pre-merge checks npm audit as another line of defense. Hence, if there is any vulnerable package the checks will fail and the PR cannot be merged.

Now, the problem is: More often than not, multiple advisories are released released more or less at the same time. Hence, Dependabot PRs will fail because PR A addressing vulnerability A will fail because vulnerability B is still there and not addressed. And PR B addressing vulnerability B will fail because vulnerability A is still there and not addressed.

I now looked into grouping Dependabot PRs. But, unfortunately, that doesn't seem to be the soution. In fact, according to the Official docs Dependabot does the exact opposite of what I want:

Note: If a grouped pull request for Dependabot version updates contains a vulnerable package, Dependabot security updates will still attempt to create a separate pull request to update the vulnerable package to a secure version. Creating a separate pull request for security updates ensures you have visibility into package vulnerabilities.

So, now, is there a way of always grouping all Dependabot security updates?