Dependabot is the biggest source of PR spam for me as it's config is so simplistic, you can't easily make it group upgrades. So, when I see suddenly almost a hundred PRs created, I do the upgrade myself, push it, and then Dependabot closes the PR, but I love the hundreds of emails around this process, too.
As I said, it's not easy, and not everything is possible either. Monorepos are the biggest victim. I wrote a script that generates the Dependabot config and a GitHub action that updates it when my monorepo changes.
