Dependabot Bumps: do I need to take action?

Regularly I get mails from Github dependabot, with the subject line Bump hugo-extended from <version> to <version>.
These confuse me. Do I need to take action, or is it just a confirmation that Github as automagically updated my Hugo project and all well?

If you are using GitHub actions, you should set the variable HUGO_VERSION in you Hugo workflow file as mentioned here in step 6

  # Build job
    runs-on: ubuntu-latest
      HUGO_VERSION: 0.123.0

This will make sure your server Hugo version is not updated automatically and your website doesn’t show any unwanted errors due to incompatibilities with newer versions.
However, you should update Hugo versions at regular intervals, keeping in mind that some Hugo upgrades break old code.

Thanks for your answer, but I would like dependabot to handle all updates for now.
So if I don’t set the HUGO_VERSION variable, that is what will happen, right?

Not necessarily.
If you have no issues with fixing issues as they come, it is all fine.
Rather, the best way is to always keep an updated version of the software ( Hugo ), but this might require some regular maintenance.

Upgradations come at a cost.