But in our Dependabot deputy confusion scenario, Dependabot has a very particular naming scheme for its branches (dependabot/<ecosystem>/...). So, you might think, "Phew, Dependabot deputy confusion is immune to injection Pwn Requests!" The @dependabot recreate: Comment @dependabot recreate on the original Dependabot Pull Request. Default Branch Swap: Change the default branch of your forked repository to this new payload-named branch. The @dependabot merge Command: Go to the original Dependabot PR and comment: @dependabot merge .