If dependabot is part of GitHub's own infrastructure, and the last 100 pull requests it sent were good, some maintainers might think it trustworthy.
I'm pretty sure there are maintainers of Linux that Linus has been working with for long enough that he trusts them to the point that doesn't feel the need to examine every one of their commits.
Also, he can't check every commit closely. Linux 6.5 merged 13,561 commits over 9 weeks[0], which is in excess of 200 commits per day - and that was a small release. Learning to trust regular contributors is one of the things that makes OSS work as scale.
Edit: Of course, Linus makes sure that stuff he merges from trusted contributors is actually from them, either because it's from a repo he knows they control, or it's GPG-signed and the signatures are checked. The problem is failing to confirm that commits come from the trusted source you think they're from, not failing to examine the commits themselves.
Dependabot should sign it's PRs with a gpg signature. And web interface could get support to check those signatures. That is way more trustworthy than a random green flag in some web ui that changes all the time.
I'm pretty sure there are maintainers of Linux that Linus has been working with for long enough that he trusts them to the point that doesn't feel the need to examine every one of their commits.
Also, he can't check every commit closely. Linux 6.5 merged 13,561 commits over 9 weeks[0], which is in excess of 200 commits per day - and that was a small release. Learning to trust regular contributors is one of the things that makes OSS work as scale.
Edit: Of course, Linus makes sure that stuff he merges from trusted contributors is actually from them, either because it's from a repo he knows they control, or it's GPG-signed and the signatures are checked. The problem is failing to confirm that commits come from the trusted source you think they're from, not failing to examine the commits themselves.
[0] https://lwn.net/Articles/941675/