Measures become targets, and so they should or why are you measuring?
As Github rolled out CodeQL and Dependabot it was inevitable that Dependabot Zero would become a thing.
We have been chasing Dependabot Zero all year, and just as it became a squad measure we achieved zero. Of course the next day seven new vulnerabilities were discovered.
Having baselined we can now keep up. We have good test coverage and CI/CD, and we have enforced a single maven dependency management artifact, creating a modular monolith, so we can now respond to each new crop of vulnerabilities as they are discovered.
