Should ruby-bench merge dependabot updates?

[eregon]

Looking at https://github.com/ruby/ruby-bench/security/dependabot there are 30 dependabot alerts open and 330 closed, and https://github.com/ruby/ruby-bench/pulls?q=is%3Apr+is%3Aclosed+label%3Adependencies has 92 dependabot PRs merged.
This seems like a lot of noise and I'm not sure of the usefulness of these updates for ruby-bench.
Notably, the security aspect seems irrelevant, because all benchmarks are run locally and not exposed to any other host, so there is no actual danger to keep using older versions (AFAIK).
OTOH it's useful to update gems (and application) versions to be more representative of real programs, but using security vulnerabilities for that doesn't seem the right trigger, it seems better to update everything at some frequency, e.g. update Rails when there is a new major Rails release, or update all gems every N months, etc.

So my thought is it might make sense to disable dependabot for this repo (which can be done in the settings), because it doesn't seem to matter for security, and it causes a lot of noise & churn for what seems to be little gains.
Thoughts?

Related: #390

[eregon]

For context, I created this after receiving a long [GitHub] Your Dependabot alerts for the week of Oct 21 - Oct 28 email which lists lots of gems in this repo, and the email is quite long so GMail cuts it and that might hide vulnerabilities for other repos, where Dependabot alerts might actually matter.

[k0kubun]

Yeah, makes sense. I disabled "Dependabot alerts" and "Dependabot security updates". I'm not sure if it prevents dependabot from making any PRs, but will see how that goes.