The new v1.11.x series of patch releases seems to be almost fully automated:

• @dependabot creates automated PRs to update dependencies
• @gr2m merges it
• @semantic-release-bot creates an automated release

This has lead to 6 patch releases within 2.5 months, without any substantial changes.

The problem with that is that dependabot then also creates automated PRs in all repos that depend on create-github-app-token. As a reviewed of such PRs, I feel like this is a waste of human attention. Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.

Suggestion

Automated releases should only happen if there's any substantial updates included, which dependency updates are not.